apache · dataroaring · Jun 19, 2025 · Jun 12, 2025
@@ -229,7 +229,8 @@ static HttpResponse process_get_obj_store_info(MetaServiceImpl* service, brpc::C
 static HttpResponse process_alter_obj_store_info(MetaServiceImpl* service, brpc::Controller* ctrl) {
     static std::unordered_map<std::string_view, AlterObjStoreInfoRequest::Operation> operations {
             {"add_obj_info", AlterObjStoreInfoRequest::ADD_OBJ_INFO},
-            {"legacy_update_ak_sk", AlterObjStoreInfoRequest::LEGACY_UPDATE_AK_SK}};
+            {"legacy_update_ak_sk", AlterObjStoreInfoRequest::LEGACY_UPDATE_AK_SK},
+            {"alter_obj_info", AlterObjStoreInfoRequest::ALTER_OBJ_INFO}};
 
     auto& path = ctrl->http_request().unresolved_path();
     auto it = operations.find(remove_version_prefix(path));
@@ -251,6 +252,7 @@ static HttpResponse process_alter_storage_vault(MetaServiceImpl* service, brpc::
     static std::unordered_map<std::string_view, AlterObjStoreInfoRequest::Operation> operations {
             {"drop_s3_vault", AlterObjStoreInfoRequest::DROP_S3_VAULT},
             {"add_s3_vault", AlterObjStoreInfoRequest::ADD_S3_VAULT},
+            {"alter_s3_vault", AlterObjStoreInfoRequest::ALTER_S3_VAULT},
             {"drop_hdfs_vault", AlterObjStoreInfoRequest::DROP_HDFS_INFO},
             {"add_hdfs_vault", AlterObjStoreInfoRequest::ADD_HDFS_INFO}};
 
@@ -740,6 +742,10 @@ void MetaServiceImpl::http(::google::protobuf::RpcController* controller,
             {"alter_s3_vault", process_alter_storage_vault},
             {"drop_s3_vault", process_alter_storage_vault},
             {"drop_hdfs_vault", process_alter_storage_vault},
+            {"alter_obj_info", process_alter_obj_store_info},
+            {"v1/alter_obj_info", process_alter_obj_store_info},
+            {"v1/alter_s3_vault", process_alter_storage_vault},
+
             // for tools
             {"decode_key", process_decode_key},
             {"encode_key", process_encode_key},

@@ -677,14 +677,6 @@ static int alter_s3_storage_vault(InstanceInfoPB& instance, std::unique_ptr<Tran
         return -1;
     }
 
-    if (obj_info.has_ak() ^ obj_info.has_sk()) {
-        code = MetaServiceCode::INVALID_ARGUMENT;
-        std::stringstream ss;
-        ss << "Accesskey and secretkey must be alter together";
-        msg = ss.str();
-        return -1;
-    }
-
     const auto& name = vault.name();
     // Here we try to get mutable iter since we might need to alter the vault name
     auto name_itr = std::find_if(instance.mutable_storage_vault_names()->begin(),
@@ -723,6 +715,8 @@ static int alter_s3_storage_vault(InstanceInfoPB& instance, std::unique_ptr<Tran
         return -1;
     }
 
+    auto origin_vault_info = new_vault.DebugString();
+
     if (vault.has_alter_name()) {
         if (!is_valid_storage_vault_name(vault.alter_name())) {
             code = MetaServiceCode::INVALID_ARGUMENT;
@@ -742,13 +736,26 @@ static int alter_s3_storage_vault(InstanceInfoPB& instance, std::unique_ptr<Tran
         new_vault.set_name(vault.alter_name());
         *name_itr = vault.alter_name();
     }
-    auto origin_vault_info = new_vault.DebugString();
 
-    // For ak or sk is not altered.
-    EncryptionInfoPB encryption_info = new_vault.obj_info().encryption_info();
-    AkSkPair new_ak_sk_pair {new_vault.obj_info().ak(), new_vault.obj_info().sk()};
+    if (obj_info.has_role_arn() && (obj_info.has_ak() || obj_info.has_sk())) {
+        code = MetaServiceCode::INVALID_ARGUMENT;
+        msg = "invaild argument, both set ak/sk and role_arn is not allowed";
+        LOG(WARNING) << msg;
+        return -1;
+    }
+
+    if (obj_info.has_ak() ^ obj_info.has_sk()) {
+        code = MetaServiceCode::INVALID_ARGUMENT;
+        std::stringstream ss;
+        ss << "Accesskey and secretkey must be alter together";
+        msg = ss.str();
+        return -1;
+    }
 
     if (obj_info.has_ak()) {
+        EncryptionInfoPB encryption_info = new_vault.obj_info().encryption_info();
+        AkSkPair new_ak_sk_pair {new_vault.obj_info().ak(), new_vault.obj_info().sk()};
+
         // ak and sk must be altered together, there is check before.
         auto ret = encrypt_ak_sk_helper(obj_info.ak(), obj_info.sk(), &encryption_info,
                                         &new_ak_sk_pair, code, msg);
@@ -758,15 +765,36 @@ static int alter_s3_storage_vault(InstanceInfoPB& instance, std::unique_ptr<Tran
             LOG(WARNING) << msg;
             return -1;
         }
+        new_vault.mutable_obj_info()->clear_role_arn();
+        new_vault.mutable_obj_info()->clear_external_id();
+        new_vault.mutable_obj_info()->clear_cred_provider_type();
+
+        new_vault.mutable_obj_info()->set_ak(new_ak_sk_pair.first);
+        new_vault.mutable_obj_info()->set_sk(new_ak_sk_pair.second);
+        new_vault.mutable_obj_info()->mutable_encryption_info()->CopyFrom(encryption_info);
+    }
+
+    if (obj_info.has_role_arn()) {
+        new_vault.mutable_obj_info()->clear_ak();
+        new_vault.mutable_obj_info()->clear_sk();
+        new_vault.mutable_obj_info()->clear_encryption_info();
+
+        new_vault.mutable_obj_info()->set_role_arn(obj_info.role_arn());
+        new_vault.mutable_obj_info()->set_cred_provider_type(CredProviderTypePB::INSTANCE_PROFILE);
+        if (obj_info.has_external_id()) {
+            new_vault.mutable_obj_info()->set_external_id(obj_info.external_id());
+        }
     }
 
-    new_vault.mutable_obj_info()->set_ak(new_ak_sk_pair.first);
-    new_vault.mutable_obj_info()->set_sk(new_ak_sk_pair.second);
-    new_vault.mutable_obj_info()->mutable_encryption_info()->CopyFrom(encryption_info);
     if (obj_info.has_use_path_style()) {
         new_vault.mutable_obj_info()->set_use_path_style(obj_info.use_path_style());
     }
 
+    auto now_time = std::chrono::system_clock::now();
+    uint64_t time =
+            std::chrono::duration_cast<std::chrono::seconds>(now_time.time_since_epoch()).count();
+    new_vault.mutable_obj_info()->set_mtime(time);
+
     auto new_vault_info = new_vault.DebugString();
     val = new_vault.SerializeAsString();
     if (val.empty()) {
@@ -825,6 +853,7 @@ static int extract_object_storage_info(const AlterObjStoreInfoRequest* request,
         if (!obj.has_ak() || !obj.has_sk()) {
             code = MetaServiceCode::INVALID_ARGUMENT;
             msg = "s3 obj info err " + proto_to_json(*request);
+            LOG(INFO) << msg;
             return -1;
         }
 
@@ -839,13 +868,12 @@ static int extract_object_storage_info(const AlterObjStoreInfoRequest* request,
         ak = cipher_ak_sk_pair.first;
         sk = cipher_ak_sk_pair.second;
     } else {
-        if (!obj.has_cred_provider_type() ||
-            obj.cred_provider_type() != CredProviderTypePB::INSTANCE_PROFILE ||
-            !obj.has_provider() || obj.provider() != ObjectStoreInfoPB::S3) {
+        if (obj.has_ak() || obj.has_sk()) {
             code = MetaServiceCode::INVALID_ARGUMENT;
-            msg = "s3 conf info err with role_arn, please check it";
+            msg = "invaild argument, both set ak/sk and role_arn is not allowed";
             return -1;
         }
+
         role_arn = obj.has_role_arn() ? obj.role_arn() : "";
         external_id = obj.has_external_id() ? obj.external_id() : "";
     }
@@ -1044,6 +1072,16 @@ void MetaServiceImpl::alter_storage_vault(google::protobuf::RpcController* contr
             return;
         }
 
+        if (!role_arn.empty()) {
+            if (!obj.has_cred_provider_type() ||
+                obj.cred_provider_type() != CredProviderTypePB::INSTANCE_PROFILE ||
+                !obj.has_provider() || obj.provider() != ObjectStoreInfoPB::S3) {
+                code = MetaServiceCode::INVALID_ARGUMENT;
+                msg = "s3 conf info err with role_arn, please check it";
+                return;
+            }
+        }
+
         auto& objs = instance.obj_info();
         for (auto& it : objs) {
             if (bucket == it.bucket() && prefix == it.prefix() && endpoint == it.endpoint() &&
@@ -1210,6 +1248,7 @@ void MetaServiceImpl::alter_obj_store_info(google::protobuf::RpcController* cont
     switch (request->op()) {
     case AlterObjStoreInfoRequest::ADD_OBJ_INFO:
     case AlterObjStoreInfoRequest::LEGACY_UPDATE_AK_SK:
+    case AlterObjStoreInfoRequest::ALTER_OBJ_INFO:
     case AlterObjStoreInfoRequest::UPDATE_AK_SK: {
         auto tmp_desc = ObjectStorageDesc {ak,       sk,
                                            bucket,   prefix,
@@ -1287,7 +1326,8 @@ void MetaServiceImpl::alter_obj_store_info(google::protobuf::RpcController* cont
     }
 
     switch (request->op()) {
-    case AlterObjStoreInfoRequest::LEGACY_UPDATE_AK_SK: {
+    case AlterObjStoreInfoRequest::LEGACY_UPDATE_AK_SK:
+    case AlterObjStoreInfoRequest::ALTER_OBJ_INFO: {
         // get id
         std::string id = request->obj().has_id() ? request->obj().id() : "0";
         int idx = std::stoi(id);
@@ -1301,20 +1341,55 @@ void MetaServiceImpl::alter_obj_store_info(google::protobuf::RpcController* cont
                 const_cast<std::decay_t<decltype(instance.obj_info())>&>(instance.obj_info());
         for (auto& it : obj_info) {
             if (std::stoi(it.id()) == idx) {
-                if (it.ak() == ak && it.sk() == sk) {
-                    // not change, just return ok
-                    code = MetaServiceCode::OK;
-                    msg = "";
-                    return;
+                if (role_arn.empty()) {
+                    if (it.ak() == ak && it.sk() == sk) {
+                        // not change, just return ok
+                        code = MetaServiceCode::OK;
+                        msg = "ak/sk not changed";
+                        return;
+                    }
+                    it.clear_role_arn();
+                    it.clear_external_id();
+                    it.clear_cred_provider_type();
+
+                    it.set_ak(ak);
+                    it.set_sk(sk);
+                    it.mutable_encryption_info()->CopyFrom(encryption_info);
+                } else {
+                    if (!ak.empty() || !sk.empty()) {
+                        code = MetaServiceCode::INVALID_ARGUMENT;
+                        msg = "invaild argument, both set ak/sk and role_arn is not allowed";
+                        LOG(INFO) << msg;
+                        return;
+                    }
+
+                    if (it.provider() != ObjectStoreInfoPB::S3) {
+                        code = MetaServiceCode::INVALID_ARGUMENT;
+                        msg = "role_arn is only supported for s3 provider";
+                        LOG(INFO) << msg << " provider=" << it.provider();
+                        return;
+                    }
+
+                    if (it.role_arn() == role_arn && it.external_id() == external_id) {
+                        // not change, just return ok
+                        code = MetaServiceCode::OK;
+                        msg = "ak/sk not changed";
+                        return;
+                    }
+                    it.clear_ak();
+                    it.clear_sk();
+                    it.clear_encryption_info();
+
+                    it.set_role_arn(role_arn);
+                    it.set_external_id(external_id);
+                    it.set_cred_provider_type(CredProviderTypePB::INSTANCE_PROFILE);
                 }
+
                 auto now_time = std::chrono::system_clock::now();
                 uint64_t time = std::chrono::duration_cast<std::chrono::seconds>(
                                         now_time.time_since_epoch())
                                         .count();
                 it.set_mtime(time);
-                it.set_ak(ak);
-                it.set_sk(sk);
-                it.mutable_encryption_info()->CopyFrom(encryption_info);
             }
         }
     } break;