risingwavelabs · yuhao-su · Jul 29, 2024 · Jul 26, 2024 · Jul 26, 2024 · Jul 29, 2024
diff --git a/e2e_test/ddl/secret.slt b/e2e_test/ddl/secret.slt
@@ -1,3 +1,33 @@
+statement ok
+ALTER SYSTEM SET license_key TO '';
+
+statement error
+create secret secret_1 with (
+  backend = 'fake-backend'
+) as 'demo_secret';
+----
+db error: ERROR: Failed to run the query
+
+Caused by:
+  feature SecretManagement is only available for tier Paid and above, while the current tier is Free
+
+Hint: You may want to set a license key with `ALTER SYSTEM SET license_key = '...';` command.
+
+
+statement error
+drop secret secret_1;
+----
+db error: ERROR: Failed to run the query
+
+Caused by:
+  feature SecretManagement is only available for tier Paid and above, while the current tier is Free
+
+Hint: You may want to set a license key with `ALTER SYSTEM SET license_key = '...';` command.
+
+
+statement ok
+ALTER SYSTEM SET license_key TO DEFAULT;
+
 statement error secret backend "fake-backend" is not supported
 create secret secret_1 with (
   backend = 'fake-backend'

diff --git a/src/frontend/src/handler/create_secret.rs b/src/frontend/src/handler/create_secret.rs
@@ -15,6 +15,7 @@
 use pgwire::pg_response::{PgResponse, StatementType};
 use prost::Message;
 use risingwave_common::bail_not_implemented;
+use risingwave_common::license::Feature;
 use risingwave_sqlparser::ast::{CreateSecretStatement, SqlOption, Value};
 
 use crate::error::{ErrorCode, Result};
@@ -30,6 +31,10 @@ pub async fn handle_create_secret(
     handler_args: HandlerArgs,
     stmt: CreateSecretStatement,
 ) -> Result<RwPgResponse> {
+    Feature::SecretManagement
+        .check_available()
+        .map_err(|e| anyhow::anyhow!(e))?;
+
     let session = handler_args.session.clone();
     let db_name = session.database();
     let (schema_name, connection_name) =

diff --git a/src/frontend/src/handler/drop_secret.rs b/src/frontend/src/handler/drop_secret.rs
@@ -13,6 +13,7 @@
 // limitations under the License.
 
 use pgwire::pg_response::StatementType;
+use risingwave_common::license::Feature;
 use risingwave_sqlparser::ast::ObjectName;
 
 use crate::catalog::root_catalog::SchemaPath;
@@ -25,6 +26,10 @@ pub async fn handle_drop_secret(
     secret_name: ObjectName,
     if_exists: bool,
 ) -> Result<RwPgResponse> {
+    Feature::SecretManagement
+        .check_available()
+        .map_err(|e| anyhow::anyhow!(e))?;
+
     let session = handler_args.session;
     let db_name = session.database();
     let (schema_name, secret_name) = Binder::resolve_schema_qualified_name(db_name, secret_name)?;

diff --git a/src/license/src/feature.rs b/src/license/src/feature.rs
@@ -46,6 +46,7 @@ macro_rules! for_all_features {
             { TestPaid,             Paid,       "A dummy feature that's only available on paid tier for testing purposes." },
             { TimeTravel,           Paid,       "Query historical data within the retention period."},
             { GlueSchemaRegistry,   Paid,       "Use Schema Registry from AWS Glue rather than Confluent." },
+            { SecretManagement,     Paid,       "Secret management" },
         }
     };
 }