feat(secret): alter secret in catalog

[yuhao-su]

I hereby agree to the terms of the RisingWave Labs, Inc. Contributor License Agreement.

What's changed and what's your intention?

This PR introduced alter secret in the catalog. But for secrets used in running jobs, they will not be changed until the executor has been rebuilt (by restarting the cluster)

Checklist

• I have written necessary rustdoc comments
• I have added necessary unit tests and integration tests
• I have added test labels as necessary. See details.
• I have added fuzzing tests or opened an issue to track them. (Optional, recommended for new SQL features Sqlsmith: Sql feature generation #7934).
• My PR contains breaking changes. (If it deprecates some features, please create a tracking issue to remove them in the future).
• All checks passed in ./risedev check (or alias, ./risedev c)
• My PR changes performance-critical code. (Please run macro/micro-benchmarks and show the results.)

• My PR contains critical fixes that are necessary to be merged into the latest release. (Please check out the details)

Documentation

• My PR needs documentation updates. (Please use the Release note section below to summarize the impact on users)

You can alter a secret value by using ALTER SECRET your_secret_name WITH (backend = 'meta') AS 'your_new_secret'.

Note that altering a secret will not result in a change of secret being used in a running job until the job is restarted (e.g. by restarting the cluster).

Release note

If this PR includes changes that directly affect users or other significant modifications relevant to the community, kindly draft a release note to provide a concise summary of these changes. Please prioritize highlighting the impact these changes will have on users.

[tabVersion]

The impl LGTM, please add an e2e check if we can apply a secret change to running actor by calling recover.

my thoughts about the test

• two kafka topic with 1 partition: topic_0 and topic_1,
  • fill some data, eg. message in topic_0 starts with 0 and message in topic_1 starts with 1.
• create a table with kafka connector, using secret to spec the topic to topic_0
  • check the data from topic_0
• pause the cluster, alter the secret pointing to topic_1, pushing new data to both topics, then resume the cluster
• check the new data is from topic_1

[tabVersion]

why we need a plain secret here?

[yuhao-su]

To update the local secret manager.

[tabVersion]

what else operation can alter secret do?

[yuhao-su]

SET SCHEMA, change WITH option etc..

[fuyufjh]

The backend option should not appear in the alter secret statement. To follow the convention of other alter commands, only the changed part should be provided. Here the backend option is obviously untouched, so users should not write it here.

But, furthermore, I think backend shouldn't be a per-secret option. In my mind it should be a global-wise config and can't be changed after cluster initialized.

[fuyufjh]

But, furthermore, I think backend shouldn't be a per-secret option. In my mind it should be a global-wise config and can't be changed after cluster initialized.

It's a bit off-topic. We can create a new issue

[yuhao-su]

I understand the concern here. I was thinking the same. But there are 2 problems

1. We are doing something unusual here. The backend info in with option is also encrypted. We need to decrypt the original secret to write the new one. I can do this.
2. For hashvault, there is no value we can alter, we can only alter the with. For meta backend, user can alter the secret to using hashvault or just the value. So I try to ask user to write both WITH and AS so they know what they are doing.

So anyway, I think get rid of the WITH here is also a good choice. Will change this.

[fuyufjh]

Generally LGTM

[fuyufjh]

Good point. I tend to make it a real error i.e. return Err(...) and reject the add_secret

The status quo is somehow weird to me - an error log is printed, but the action actually succeeded.

[yuhao-su]

This is actually intentional or something we have to do.

1. add_secret is called using the LocalSecretManager on each worker node asynchronizly by notification service, so we can't return an error just like any other notification serivces.
2. alter secret result was already persisted to meta before we call add_secret. So returning an error here can confuse users unless we decide to roll back the meta commit. Besides, this secret_id cames from meta catalog, so we should trust the data from meta instead of LocalSecretManager

[fuyufjh]

Ditto.

[fuyufjh]

Does it trigger the existing actors to upgrade to the new secret?

[yuhao-su]

Does it trigger the existing actors to upgrade to the new secret?

No. Already doced this limitation in PR.