Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(secret): alter secret in catalog #19495

Merged
merged 13 commits into from
Nov 26, 2024
Merged

Conversation

yuhao-su
Copy link
Contributor

@yuhao-su yuhao-su commented Nov 20, 2024

I hereby agree to the terms of the RisingWave Labs, Inc. Contributor License Agreement.

What's changed and what's your intention?

This PR introduced alter secret in the catalog. But for secrets used in running jobs, they will not be changed until the executor has been rebuilt (by restarting the cluster)

Checklist

  • I have written necessary rustdoc comments
  • I have added necessary unit tests and integration tests
  • I have added test labels as necessary. See details.
  • I have added fuzzing tests or opened an issue to track them. (Optional, recommended for new SQL features Sqlsmith: Sql feature generation #7934).
  • My PR contains breaking changes. (If it deprecates some features, please create a tracking issue to remove them in the future).
  • All checks passed in ./risedev check (or alias, ./risedev c)
  • My PR changes performance-critical code. (Please run macro/micro-benchmarks and show the results.)
  • My PR contains critical fixes that are necessary to be merged into the latest release. (Please check out the details)

Documentation

  • My PR needs documentation updates. (Please use the Release note section below to summarize the impact on users)

You can alter a secret value by using ALTER SECRET your_secret_name WITH (backend = 'meta') AS 'your_new_secret'.

Note that altering a secret will not result in a change of secret being used in a running job until the job is restarted (e.g. by restarting the cluster).

Release note

If this PR includes changes that directly affect users or other significant modifications relevant to the community, kindly draft a release note to provide a concise summary of these changes. Please prioritize highlighting the impact these changes will have on users.

@graphite-app graphite-app bot requested a review from a team November 20, 2024 20:50
@graphite-app graphite-app bot requested a review from a team November 21, 2024 02:42
Copy link
Contributor

@tabVersion tabVersion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The impl LGTM, please add an e2e check if we can apply a secret change to running actor by calling recover.

my thoughts about the test

  • two kafka topic with 1 partition: topic_0 and topic_1,
    • fill some data, eg. message in topic_0 starts with 0 and message in topic_1 starts with 1.
  • create a table with kafka connector, using secret to spec the topic to topic_0
    • check the data from topic_0
  • pause the cluster, alter the secret pointing to topic_1, pushing new data to both topics, then resume the cluster
  • check the new data is from topic_1

secret.value = encrypted_payload;
self.metadata_manager
.catalog_controller
.alter_secret(secret, secret_plain_payload)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why we need a plain secret here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To update the local secret manager.

Comment on lines +219 to +221
pub enum AlterSecretOperation {
ChangeCredential { new_credential: Value },
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what else operation can alter secret do?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SET SCHEMA, change WITH option etc..

@@ -40,6 +40,23 @@ create secret secret_1 with (
backend = 'meta'
) as 'demo_secret';

statement ok
alter secret secret_1 with (
backend = 'meta'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The backend option should not appear in the alter secret statement. To follow the convention of other alter commands, only the changed part should be provided. Here the backend option is obviously untouched, so users should not write it here.

But, furthermore, I think backend shouldn't be a per-secret option. In my mind it should be a global-wise config and can't be changed after cluster initialized.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But, furthermore, I think backend shouldn't be a per-secret option. In my mind it should be a global-wise config and can't be changed after cluster initialized.

It's a bit off-topic. We can create a new issue

Copy link
Contributor Author

@yuhao-su yuhao-su Nov 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand the concern here. I was thinking the same. But there are 2 problems

  1. We are doing something unusual here. The backend info in with option is also encrypted. We need to decrypt the original secret to write the new one. I can do this.
  2. For hashvault, there is no value we can alter, we can only alter the with. For meta backend, user can alter the secret to using hashvault or just the value. So I try to ask user to write both WITH and AS so they know what they are doing.

So anyway, I think get rid of the WITH here is also a good choice. Will change this.

Copy link
Member

@fuyufjh fuyufjh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally LGTM

@@ -74,7 +74,23 @@ impl LocalSecretManager {

pub fn add_secret(&self, secret_id: SecretId, secret: Vec<u8>) {
let mut secret_guard = self.secrets.write();
secret_guard.insert(secret_id, secret);
if secret_guard.insert(secret_id, secret).is_some() {
tracing::error!(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I tend to make it a real error i.e. return Err(...) and reject the add_secret

The status quo is somehow weird to me - an error log is printed, but the action actually succeeded.

Copy link
Contributor Author

@yuhao-su yuhao-su Nov 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is actually intentional or something we have to do.

  1. add_secret is called using the LocalSecretManager on each worker node asynchronizly by notification service, so we can't return an error just like any other notification serivces.
  2. alter secret result was already persisted to meta before we call add_secret. So returning an error here can confuse users unless we decide to roll back the meta commit. Besides, this secret_id cames from meta catalog, so we should trust the data from meta instead of LocalSecretManager

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is still a little weird to me. I understand the LocalSecretManager cannot reject adding a new secret but we can always do such check on the meta node.

pub fn update_secret(&self, secret_id: SecretId, secret: Vec<u8>) {
let mut secret_guard = self.secrets.write();
if secret_guard.insert(secret_id, secret).is_none() {
tracing::error!(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it trigger the existing actors to upgrade to the new secret?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it trigger the existing actors to upgrade to the new secret?

No. Already doced this limitation in PR.

@yuhao-su
Copy link
Contributor Author

yuhao-su commented Nov 26, 2024

we can apply a secret change to running actor by calling recover

Added the test in CDC test. A potential problem with your proposal is those 2 topics won't share the offset and it's not a real use case.

@tabVersion
Copy link
Contributor

we can apply a secret change to running actor by calling recover

Added the test in CDC test. A potential problem with your proposal is those 2 topics won't share the offset and it's not a real use case.

Yes, a little hack here. Anyway, it is good to have a test here.

@@ -74,7 +74,23 @@ impl LocalSecretManager {

pub fn add_secret(&self, secret_id: SecretId, secret: Vec<u8>) {
let mut secret_guard = self.secrets.write();
secret_guard.insert(secret_id, secret);
if secret_guard.insert(secret_id, secret).is_some() {
tracing::error!(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is still a little weird to me. I understand the LocalSecretManager cannot reject adding a new secret but we can always do such check on the meta node.

Comment on lines +1412 to +1413
let secret: secret::ActiveModel = pb_secret.clone().into();
Secret::update(secret).exec(&txn).await?;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe do a secret existance check here?

Copy link
Contributor Author

@yuhao-su yuhao-su Nov 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Already checked in frontend. But I guess it won't hurt to check again on meta.

@yuhao-su yuhao-su enabled auto-merge November 26, 2024 15:49
@yuhao-su yuhao-su added this pull request to the merge queue Nov 26, 2024
Merged via the queue into main with commit 5070856 Nov 26, 2024
33 of 34 checks passed
@yuhao-su yuhao-su deleted the yuhao/alter-secret-catalog branch November 26, 2024 16:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants