Core persistence refactor phase 1 - extract BasePersistence and BaseMetaStoreManager to isolate all "transaction" behaviors

[dennishuo]

Though this isn't 100% of the persistence refactor yet for unlocking non-transactional databases, this gets the main structure of the lower-level store layer mostly settled and possibly ready for parallel implementation work.

Fully remove the vestigial "entitiesDropped" methods; these were originally for UNDROP but ended up not being used; they can be reintroduced with better design in the future if we want to add UNDROP.

Extract BasePersistence interface as parent interface of PolarisMetaStoreSession which now becomes an abstract class;
only leave the transaction-specific methods in PolarisMetaStoreSession.

Eliminate all direct interaction with the "triplet tables" (entities/entitiesActive/entitiesChangeTracking) from PolarisMetaStoreManagerImpl in favor of aggregate methods declared in BasePersistence, and have the abstract base class PolarisMetaStoreSession handle the juggling of the three related tables.

This includes lookupEntities[Active], writeToEntities[Active], deleteFromEntities[Active], etc.

The new writeEntity method in BasePersistence now also includes originalEntity to make it more explicit what to use for the compare-and-swap. Technically we 90% only need the originalEntity.getEntityVersion() and originalEntity.getGrantRecordsVersion(), and in just the renameEntity case we also need to use originalEntity.getParentId() and originalEntity.getName(), but for now it doesn't hurt to just plumb in the entire original entity.

[dimas-b]

Thanks for this PR @dennishuo ! I think it is a step in the right direction for eventual NoSQL support :)

Some preliminary comments for now... more to come.

[dimas-b]

Why would PolarisCallContext have DB-specific stuff? How do you envision the purpose and use cases of PolarisCallContext?

[dennishuo]

The MetaStoreSessionFactory kind of implies at least baking in the realmContext during the construction of the handle into the persistence store. So in general one might decorate the handle into the persistence store with various elements of traceability/auditability, blast-radius reduction (e.g. if it could connect to the backend with some kind of scoped internal credentials), which is why the current architecture treats the handle into the persistence backend as being a property of the call context.

[dimas-b]

All that can be implemented as request-scoped beans, AFAIK 🤔 So, the "context" method parameters become injected fields or constructor parameters. Would that work?

[dennishuo]

Per discussion, we can continue fine-tuning callcontext syntax in the followup.

[dimas-b]

I'm generally against "call contexts" as explicit method parameters (or thread locals) from the API design POV.

Is there a reason why call context objects cannot be injected into impl. classes (Request-scoped beans in CDI)?

[dennishuo]

I'm very against using ThreadLocals as well, but it seems to me the opposite of ThreadLocal is explicit method parameter. In general I like the approach in core Iceberg code of trying to be very explicit as much as possible and avoiding injection.

"RequestScoped" seems prone to many of the same problems as ThreadLocals, where the provision of state leaves too much to the magic framework.

The main use case I'm thinking of here though is that not all CallContexts necessarily come in through the framework; we have the whole Tasks subsystem where we want an explicit definition of the CallContext that is constructed proactively by the system-initiated task handler

[snazy]

Regarding tasks in general and the concrete use case of "purging tables", all that's eventually needed are some parameters. For "purge table" that's an object describing the table and some Iceberg parameters - the actual "purge" itself doesn't need persistence at all. What we eventually need is a robust tasks framework (#774) - what individual task "runnables" need and how they work is up to those. If those need some persistence interaction, we can always have factories.

[snazy]

Regarding the parameter, yea - I also think, it's not necessary. If an implementation needs it, it could take it as a constructor argument.

[dimas-b]

I do not agree that the CDI framework is "magic" :) Critical points are controlled by the application: either through annotations or producer methods.

That said, dealing with the "call context" stuff an persistence API in the same PR is probably an overkill. At the same time, I believe it is important to have as clean a persistence API as possible (i.e. minimal set of parameters).

How about removing call context from this interface and use specialiazation when integrating with existing callers?

For example: Instead of persistence.writeEntity(ctx, ...) do persistenceProvider.forContext(ctx).writeEntity(...).

[dennishuo]

Yeah, I'm being half-facetious about the "magic" ;)

I try not to be a luddite but maybe just old-fashioned. As the saying goes "any sufficiently advanced injection of boilerplate code is indistinguishable from magic"

In this particular case though I was also spooked at how easily it could potentially slip through to accidentally inject something at the wrong scope: #1000 (comment)

Somehow the producer graphs were happy to inject an ApplicationScoped CallContext without any idea where it came from (!?)

[snazy]

inject an ApplicationScoped CallContext without any idea where it came from (!?)

Nope - producers are not ambiguous. If there is an ambiguity, Quarkus will fail the build. (Weld fails at runtime.)

[eric-maynard]

I think you're explaining that each bean can only have one producer, but that's not the kind of ambiguity referred to above. If you have a long chain of method calls where A.x calls B.y which calls C.z and so on, it can often be unclear at what point in time some object that's used in C.z was actually produced by the injection framework. It's ambiguous where & when the object was constructed, not what method actually did the construction.

[dimas-b]

From a different angle: Can PolarisCallContext contain all the necessary information for all possible implementations of BasePersistence? I'd like to avoid it becoming a union of all possible dependencies.

[dennishuo]

Let's continue fine-tuning callcontext syntax in the followup

[dimas-b]

It looks like grant records a different from "entities", right? If so, why not have a separate persistence interface for them?

[dennishuo]

It might be possible, but we'll have to think more about what kind of consistency guarantees we want to preserve given the upper layer's ResolvedEntity semantic which is a view of the entity with associated grants all together.

In practice, right now to preserve the intended behavior of Polaris' grant-based authorization, grants and entities are tightly coupled under the same implied persistence store with interrelated ids, grantRecordsVersions etc.

Perhaps if we really want to extract the GrantsManager to be 100% independent, we might want to introduce a different construct, like ForeignGrantRecords or something, where the referential integrity is no longer based on a shared persistence layer. I think that's a plausible option, but we can portray that as "new behavior" while we adapt the existing behavior as-is.

[snazy]

I foresee the need to have pluggable authZ. It doesn't need to be necessarily this specific RBAC. It could be ABAC, another RBAC or even "noop". WDYT about making the current RBAC objects just entities?

[collado-mike]

I don't think we are tied to a shared persistence layer. The foreign key constraints are implied, not explicit, so the grant records don't actually need to point to a valid entity id (valid from the grant record's persistence layer's perspective). What matters is that the grant version of the entity changes when the grant records are changed, but even that is not guaranteed in a non-transactional database system. I.e., there is no CAS that guarantees grant records are persisted and that the entity grant version changes atomically.

Introducing a ForeignGrantRecords concrete type means that the authorizer has to handle both native grants and external grants, which is more code to maintain and test.

[dimas-b]

grant version of the entity changes when the grant records are changed

Very interesting... I think I missed that point before. Could someone point to current code that relies on this?

[dennishuo]

polaris/polaris-core/src/main/java/org/apache/polaris/core/persistence/PolarisMetaStoreManagerImpl.java

Line 403 in bd27a2e

granteeEntity.setGrantRecordsVersion(granteeEntity.getGrantRecordsVersion() + 1);

// grants have changed, we need to bump-up the grants version
granteeEntity.setGrantRecordsVersion(granteeEntity.getGrantRecordsVersion() + 1);
this.writeEntity(callCtx, ms, granteeEntity, false);

Which impacts Resolver:

polaris/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/Resolver.java

Line 559 in bd27a2e

|| entity.getGrantRecordsVersion() != versions.getGrantRecordsVersion()) {

    if (versions == null
        || entity.getEntityVersion() != versions.getEntityVersion()
        || entity.getGrantRecordsVersion() != versions.getGrantRecordsVersion()) {
      // if null version we need to invalidate the cached entry since it has probably been
      // dropped
      if (versions == null) {
        if (this.cache != null) {
          this.cache.removeCacheEntry(resolvedEntity);
        }
        refreshedResolvedEntity = null;
      } else {
        // refresh that entity. If versions is null, it has been dropped
        if (this.cache != null) {
          refreshedResolvedEntity =
              this.cache.getAndRefreshIfNeeded(
                  this.polarisCallContext,
                  entity,
                  versions.getEntityVersion(),
                  versions.getGrantRecordsVersion());
        } else {
          ResolvedEntityResult result =
              this.polarisMetaStoreManager.refreshResolvedEntity(
                  this.polarisCallContext,

[dimas-b]

@dennishuo : lots of comment :) but do not feel compelled to address them all in this PR. Many are discussion points. Many can be addressed later as long as we're in agreement about the general direction.

Thanks for starting this refactoring!

The only kind of critical point from my POV is dealing with multi-entity changes as a first-class persistence API feature.

[dimas-b]

What is this "original state"?

[dennishuo]

Changed this comment to just say "...reset all tables to an empty state"; any further bootstrapping state would be defined within shared business logic in the PolarisMetaStoreManagerImpl or BaseMetaStoreManager layer but this "persistence" layer doesn't need to worry about it.

[dimas-b]

Sorry, I' m still confused... Would the "list" methods find anything after deleteAll?

[dennishuo]

No, everything should be 100% empty after deleteAll.

[dimas-b]

Ok, that's what I expected :) I guess it's just a mater to rephrasing javadoc :)

[dimas-b]

What is the scope of "all"? Realm?

[dennishuo]

Yes. Updated comment to say "within the realm defined by the contents of the {@code callCtx}".

[snazy]

Practically we need two very different "purge realm" operations. "Prefix key deletion" and similar isn't supported by all databases. For databases that don't support "prefix key deletion" we'd have to scan the database and delete matching rows.

For database support that, deleting a whole realm can be very time consuming (think: transaction timeouts, aborted requests, etc).

What I'm thinking of is realm-state management: created (populate all the things) -> active (usable) -> inactive (just disabled) -> purging (realm can be purged) -> purged. This would give us some flexibility and I think better guarantees. When a realm's created, a bunch of things need to happen - with pluggable authZ for example even things we don't know - the "realm initial population" can be performed by the things that "core Polaris" needs plus things that plugins need.
To delete and eventually purge a realm, it should be set to "inactive" first to prevent having intermediate dirty states and requests running against a realm that's being purged (or marked as such). A regularly run maintenance job could then do the actual cleanup.
WDYT?

[dennishuo]

Yeah I suspect there will a lot more adjustments to the common bootstrap and purge code still to come, especially when it comes to async purge and maybe having a safe retention period before final purge; we can continue to refine in the followup.

[dimas-b]

What's the use for limit when the caller cannot resume listing later?

[dennishuo]

We'll need pageToken for real pagination, agreed. Right now looks like upper layer uses it for basically "hasChildren" checks.

[snazy]

Looks like you can replace the last 3 parameters, if this returns a Stream

[snazy]

For pagination we'd need a "proper" page token that guards against changes between any two pages, to make it impossible that the same entries are returned in more than one page.

For posterity, assume there are 5 tables:

• table-A
• table-C
• table-E
• table-G
• table-I

Assume a page-size of 2.

The first request yields

• table-A
• table-C

Then "table-B" is created

The second request should yield

• table-E
• table-G
• table-I

However, org.apache.iceberg.rest.CatalogHandlers#paginate uses integer indexes, so the second request would actually yield "table-C" again:

• table-C
• table-E
• table-G
• table-I

Implying that all list* calls return results in a deterministic order (e.g. ascending by name).

[eric-maynard]

See #273 for a pagination implementation that's not based on the integer index

[dimas-b]

Why is it critical to have this as a dedicated API method?

[dennishuo]

Good question. Not sure, for now just preserving behavior. Looks like there's a mix of using hasChildren and listEntities(limit...)

[dimas-b]

If you do not mind, let's remove it to reduce the API breadth. We can always add something later if this use case needs to be optimized... I kind of doubt that it will even come to that because deleting namespaces is less frequent than getting the children of a namespace.

[dimas-b]

Can PolarisStorageConfigurationInfo be an simple entity in BasePersistence?

[dennishuo]

Yeah, that was actually one of the original designs, and the current Catalog nesting was thought of as a "simplification" to define "inline StorageConfigurationInfo".

In theory they can be first-class entities and we can have catalogs take referential ids/uris to the configuration info.

[snazy]

Why does persistence need to know about object-storage at all? I think persistence and object-storage are very different things. This function and loadPolarisStorageIntegration are factories for object-storage specific functionality.

[dennishuo]

Yeah, we might be able to lift these one or two layers higher up in followups.

[dimas-b]

I'd think secrete generation not be a persistence concern.

[dennishuo]

Persistence needs to persist a referential ID though

[dimas-b]

What do you mean by "persist a referential ID"?

[dennishuo]

This can be better standardized in the next few followups especially as we also add a ConnectionConfigurationInfo for Catalog Federation, but in general the idea is to leave room (maybe optionally) for the lower-level customizable logic to add persistence-related book-keeping, if secrets or integrations create heavyweight resources.

In OpenCatalog, for example, the machinery might create an "OauthIntegration" in a separate subsystem to serve each new Polaris PrincipalEntity, and there would be a unique integrationId kept track of within the internalProperties of the PrincipalEntity, and likewise the principalId would be stored in the external OAuthIntegration.

This does start getting into the realm of "type-specific extensions" to the underlying persistence model like was suggested in Yufei's proposal, but just in a more limited/low-level scope.

Generally I'd agree though that these interfaces could use some refinement. I'm thinking one of our followup refactors can focus on this "integration provider" concept to make it more natural across implementations. Maybe it's not strictly a "persistence concern" ultimately, but just a "pluggable integration object framework that may interact with the core persistence model".

[flyrain]

Can we rename the class to something like TransactionalMetastore or TransactionOrientedMetaStore? I'd also suggest to move it to a separated package, like org.apache.polaris.core.persistence.transactional, so that it provides a clear structure for other types of metastore to extend.

[dennishuo]

Done

[flyrain]

Thanks @dennishuo! I think it's a good start point.

[snazy]

the spec does allow things of different types to have the same name

I suspect you refer to the Iceberg APIs/spec. IMO it's rather a mistake in Iceberg to allow having a view and a table with the exact same name - just thinking about: "SELECT * from this_thing" ... is it a table or a view or a UDF? OTOH, there are checks that prevent creating a table using the same name as an existing view.

[snazy]

Regarding tasks in general and the concrete use case of "purging tables", all that's eventually needed are some parameters. For "purge table" that's an object describing the table and some Iceberg parameters - the actual "purge" itself doesn't need persistence at all. What we eventually need is a robust tasks framework (#774) - what individual task "runnables" need and how they work is up to those. If those need some persistence interaction, we can always have factories.

[snazy]

I foresee the need to have pluggable authZ. It doesn't need to be necessarily this specific RBAC. It could be ABAC, another RBAC or even "noop". WDYT about making the current RBAC objects just entities?

[snazy]

Practically we need two very different "purge realm" operations. "Prefix key deletion" and similar isn't supported by all databases. For databases that don't support "prefix key deletion" we'd have to scan the database and delete matching rows.

For database support that, deleting a whole realm can be very time consuming (think: transaction timeouts, aborted requests, etc).

What I'm thinking of is realm-state management: created (populate all the things) -> active (usable) -> inactive (just disabled) -> purging (realm can be purged) -> purged. This would give us some flexibility and I think better guarantees. When a realm's created, a bunch of things need to happen - with pluggable authZ for example even things we don't know - the "realm initial population" can be performed by the things that "core Polaris" needs plus things that plugins need.
To delete and eventually purge a realm, it should be set to "inactive" first to prevent having intermediate dirty states and requests running against a realm that's being purged (or marked as such). A regularly run maintenance job could then do the actual cleanup.
WDYT?

[snazy]

Regarding the parameter, yea - I also think, it's not necessary. If an implementation needs it, it could take it as a constructor argument.

[snazy]

Why does persistence need to know about object-storage at all? I think persistence and object-storage are very different things. This function and loadPolarisStorageIntegration are factories for object-storage specific functionality.

[snazy]

The (most dominant) caller of this is when paths within a catalog are resolved.

We already have all "exploded paths" available at the call size, so I guess it's more ergonomic to delegate the resolution of these "exploded paths" to something that specialized for that. The nice side effect would be that call sites wouldn't have to deal with parent-child relationships but only with paths.

[snazy]

Isn't catalogId superfluous? Or do multiple catalogs have overlapping catalog-object IDs? IIRC all IDs are unique? Removing this parameter would also remove the need for the special NULL_ID handling, and PolarisEntityId could also go away.

[snazy]

The common denominator for atomic operations in non-transactional databases is a CAS on a single row/key. Like "fetch all things", then "check all requirements", then "persist all the changes" and eventually "perform a single CAS" to perform the atomic change. How would this be implemented for example for a "rename table" operation or a "multi table commit" involving all the changes to the individual entities and consistency guarantees?

[dennishuo]

As discussed, I think one main next step after getting this initial restructuring merged will be to push down the "atomicBatchConditionalWrite" method and make the multi-table control flow plumb through to that.

[dimas-b]

I have the concern with this approach as I put in https://lists.apache.org/thread/rf5orxs815zs4h64p4rwp03q3pbgxb5r

TL;DR: If we go with the semantics of "change is durable after a persistence API method call returns", then any kind API grouping (e.g. a few operations in the same Tx) is not logically correct, because the caller of the "wrapped" persistence deals with the same interface and can expect each call's changes to be durable independently of other calls' changes. This does not hold when actual changes are committed only at the end of a transaction.

[dimas-b]

To clarify: I support transaction persistence implementations in Polaris :) All I'm saying is that the transaction aspects should not be exposed in the persistence API, but should be handled privately by the transactional persistence impl.

[dennishuo]

Yeah it's a good point. Right now before all the refactoring I guess the upper layer (PolarisMetaStoreManagerImpl) is the ultimate authority on the unit of durability, and a custom impl of the traditional PolarisMetaStoreSession might "enforce" this by having ensureInWriteTransaction barriers, for example (OpenCatalog does this in its custom metastore session impl).

After this refactoring, I think it should be possible to unify under the semantic of "each method call is independently durable/committed", with the addition of the new atomicBatchConditionalWrite method (or whatever we call it).

As it stands in this PR, after pushing down the entitiesActive and entitiesChangeTracking stuff, the vast majority of the functionality no longer truly depends on the external layer defining the durability unit as a transaction, so we just need to chip away a few more things.

The main exceptions are called out in https://docs.google.com/document/d/1U9rprj8w8-Q0SnQvRMvoVlbX996z-89eOkVwWTQaZG0/edit?tab=t.0#heading=h.2cx2yoanf9c4

• GrantRecords - we can sacrifice perfect "atomicity" in favor of slightly weaker but still good enough "happens-before" semantics, and just document the implications
• Types that create external "integrations" and other peripheral entities (Catalogs, Principals, Drop -> Tasks) - also sacrifice atomicity in favor of multi-phase commit types of behaviors and/or happens-before guarantees.

[dimas-b]

Thanks again @dennishuo for starting the refactoring effort!

From my POV we can probably merge this PR in its current state and continue this effort in follow-up PRs.

[dimas-b]

"by-name" lookups looks like the interface is making too many assumptions about the implementation.

Can we say that the caller is responsible for setting this flag in case the parent of the name of the entity changes so that the implementation could use it as a hint to perform additional validation. In any case, the implementation is responsible for ensuring that names are unique within each namespace and that the same object cannot be found under more than one parent.

WDYT?

[dennishuo]

Ah sorry, missed this one before merging; as you suggested in another comment as well, I'll look to revamp all the javadoc comments in the newly extracted interfaces to better reflect the latest thinking and avoid references to old implementation details