Add a command to explicitly purge the metastore

[eric-maynard]

Description

This adds a new command, purge, that must be run in order to purge entities from the metastore.

Additionally, bootstrapping will now fail if entities exist in the metastore instead of purging them.

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Previous behavior:

java -jar .app/polaris-service-1.0.0-all.jar bootstrap polaris-server.yml
. . .
(Succeeds)

New behavior:

java -jar .app/polaris-service-1.0.0-all.jar bootstrap polaris-server.yml
. . .
It appears this metastore manager has already been bootstrapped...

New behavior + purge:

java -jar .app/polaris-service-1.0.0-all.jar purge polaris-server.yml
. . .
(Succeeds)
. . .
java -jar .app/polaris-service-1.0.0-all.jar bootstrap polaris-server.yml
(Succeeds)

Checklist:

• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• My changes generate no new warnings
• New and existing unit tests pass locally with my changes

[snazy]

I'm on the fence with some --overwrite flag that purges (some) state.

bootstrap is a one-off operation that, I think, should fail when the system's already bootstrapped.

I think, it's better to have an explicit command or tool to purge / reset to avoid accidentally resetting principals. WDYT?

[eric-maynard]

Thanks for taking a look @snazy -- to be clear, the current behavior is that bootstrap will silently purge the state. This PR proposes a flag you have to set in order to confirm that you really want to do this. And without that flag bootstrap will fail when the system is already bootstrapped.

[snazy]

Oh - right - that "bark at you" code part is new. Can we add the "barking" part and have a "purge root-principals" command or so?

[snazy]

I feel that's a bit safer - humans tend to be lazy (and forget that they have such --overwrite flags set) and wonder why things break.

[RussellSpitzer]

Will this be version safe in the future? For now I assume this is safe but in the future could readEntityByName fail for a Polaris catalog bootstrapped from an earlier version?

This seems like a good check to have for now, I'm just more worried about what happens if this call fails because the current version of Polaris just doesn't understand how to look up the Principal in the past.

[eric-maynard]

This is an important concern and it's why we don't rely on a check like this to auto-bootstrap... but it seems to me that this check is much less critical. That scenario would be very bad for other reasons, but here you would only be losing the protection of the --overwrite flag.

[RussellSpitzer]

@snazy I think we probably can't safely always validate (or require that an implementation can validate) that existing information is in the destination. I like this though because it is at least safer than the current behavior.

[snazy]

I think we probably can't safely always validate (or require that an implementation can validate) that existing information is in the destination. I like this though because it is at least safer than the current behavior.

Sure, having this check is definitely a good thing. What I'm thinking of is:

• not having an --overwrite flag, but let bootstrap always fail with that check but
• have a new command to explicitly purge the principal

Thinking of humans leaving the --overwrite in for all deployments - (and complain that authn no longer works after a restart).

[eric-maynard]

I don't think we want to break bootstrap into purge + bootstrap. Not all metastore managers will necessarily purge on bootstrap. We want to just gate bootstrapping behind an additional flag on a best-effort basis in the case that we detect bootstrapping may have already been performed.

--overwrite doesn't appear in the docs and only appears in this error message, so for now it's hard to imagine someone always leaving --overwrite on their bootstrap command without knowing what it does. And if we can imagine such a state, it's not such a stretch to also imagine that they leave the purge command in there too.

[collado-mike]

IDK, I like the option to purge because I feel it is very explicit and we should expect the implementation to be thorough. bootstrap is necessarily an unauthenticated command, whereas the purge operation ought to require root credentials (there's a question of how does someone bootstrap if they lost their root credentials, at which point I think they should require direct database access).

If bootstrap --overwrite merely focuses on replacing the root principal/secrets, there's a risk that someone could bootstrap an existing installation but not delete the pre-existing data. In my mind, purge means delete all the things, so purge then bootstrap should result in the expected behavior.

[eric-maynard]

Thanks for taking a look @collado-mike & @snazy -- I have implemented a purge command based on my understanding of the discussion above. Please take a look at let me know if this matches what you had in mind. Thanks!

[snazy]

One nit, but overall LGTM.
Deferring review to @collado-mike, because this related code base a bit better ;)

[MonkeyCanCode]

@flyrain can we have this merge if not other blockers so the bootstrap won't wipe the backend if accidently got ran more than once. Then I can test if anything additional will be needed on the helm side as well to handle those.

[flyrain]

LGTM with minor comments.

[flyrain]

Nit: we can use var to simplify a bit.

[flyrain]

Nit: We can use var to simplify and keep them in one line

[eric-maynard]

I haven’t seen any use of `var` outside of tests in this project; might there be compatibility concerns? Is this merge blocking?

…

On Sat, Aug 17, 2024 at 6:20 PM Yufei Gu ***@***.***> wrote: ***@***.**** approved this pull request. LGTM with minor comments. ------------------------------ In polaris-service/src/main/java/io/polaris/service/BootstrapRealmsCommand.java <#59 (comment)> : > + Map<String, PolarisMetaStoreManager.PrincipalSecretsResult> results = + metaStoreManagerFactory.bootstrapRealms(configuration.getDefaultRealms()); Nit: we can use var to simplify a bit. ------------------------------ In polaris-service/src/main/java/io/polaris/service/BootstrapRealmsCommand.java <#59 (comment)> : > + for (Map.Entry<String, PolarisMetaStoreManager.PrincipalSecretsResult> result : + results.entrySet()) { Nit: We can use var to simplify and keep them in one line — Reply to this email directly, view it on GitHub <#59 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFRE3SGK6EGIGJAZYNFAK6DZR7EDDAVCNFSM6AAAAABL27URICVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDENBUGE2TOOJYGI> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[flyrain]

I think it's fine to use var as Polaris requires jdk 11 for core and jdk21 for others. var was introduced in jdk 10. To be clear, they are not blockers. I will merge it tonight if no more comments.

[flyrain]

Thanks @eric-maynard for the change. Thanks @collado-mike @snazy @RussellSpitzer @MonkeyCanCode for the review.