Add Polaris synchronization and migration tool to polaris-tools.

[mansehajsingh]

Adds an in development tool in the polaris-synchronizer/ directory to migrate between two Polaris instances.

• Changed file headers
• Ported over code

Roadmap: The tool is in development and there are a multitude of enhancements planned to generalize the tool across a wider array of use cases. Before these enhancements are carried out, it is important that the tool becomes generally available to the community so the wider Polaris group can pitch in ideas and contributions to guide the tool to align with new features we plan to introduce in Polaris's roadmap. Some planned enhancements include:

• Make tool build system conform with build items introduced in Initial commit for Iceberg catalog migrator #1
• Generalize tool auth flow to be less dependent on the deprecated client credentials flow for the catalog and add token refresh for long running jobs
• Improve robustness with enhancements like retries w/ exponential backoff, timeouts, etc.
• Determine how Policy migration might look once the Policy APIs are complete in Polaris.

Design Specification: https://docs.google.com/document/d/1AXKmzp3JaTuUS_FMNnxr_pHsBTs86rWRMborMi3deCw/edit?usp=sharing

[travis-bowen]

nit: often nice when there's a bunch of nulls to indicate what they are via comments.
validatePolarisInstanceProperties(baseUrl, accessToken, null /*oauth2ServerUri*/ , null /*clientId*/, null, null /*clientSecret*/, /*scope*/l);

[mansehajsingh]

Added!

[travis-bowen]

Is there a reason this is only needed on overwrite and remove and not on create?

[mansehajsingh]

This is because the overwrite of the catalog requires us to perform a cascading drop of the catalog. We only need to setup this omnipotent principal when we are initializing an iceberg rest client. On a createCatalog, we don't need an omnipotent principal until the time of syncing namespaces and tables. On overwrite and remove we need to do it before hand so we can drop catalog internals like namespaces and tables.

[travis-bowen]

nit: I think the comment means to say 'target' Polaris instance

[mansehajsingh]

Fixed!

[travis-bowen]

nit: spelling operationw -> operation

[mansehajsingh]

Fixed!

[mansehajsingh]

cc: @jbonofre It would be awesome to get your expertise on licensing and dependencies for this project.

[jbonofre]

@mansehajsingh sure thing ! I will !

[dimas-b]

This looks like a major addition to Polaris tools. While it looks very useful at first glance, I guess it would be helpful to have a dev ML summary of how it works and how it is meant to be used. WDYT? If I missed it, my apologies :) The README in this PR looks good for people who want to actually run the tool, but that text still seems to be too high level to help with understanding the tool's design (short of reading all the code).

[eric-maynard]

What does sync mean here? It looks like this not only copies entities from source to target, but it will also drop things in the target which are not present in the source? Why?

[mansehajsingh]

Two part response here:

• Why enable removal from the target? The idea is that if someone is running this periodically or multiple times, in the time since they last ran it, certain access control states may change. For example, BOB leaves the company, so all of BOB's principal roles are revoked. This kind of access control change should certainly be reflected in the target.
• The usage of the word sync. To be honest I'm not a fan of this word myself. The reason I used this term was because the tool started initially being built off of the iceberg-catalog-migrator introduced in Initial commit for Iceberg catalog migrator #1. For that tool, the term migrate means removal of all the entities from the source instance after they have been created in the target. So, not wanting to give the impression that this tool performed a migration, I named it a "Synchronization". Now that the tools are separate, I can offer that we rename all occurrences of "Sync" and "Synchronization" to "Migration"? I think that would better represent the tool to users and be more applicable from a code perspective.

[eric-maynard]

sync to me implies bidirectionality... after reading more, I see that this is almost like a backup. I agree that migrate also has some implications. Maybe replicator? I don't have a strong opinion here.

[mansehajsingh]

If we don't have strong opinions here, I think migrate might be fine. I think migrate opens up the least amount of assumptions of what this tool is supposed to do. I agree synchronization is pretty ambiguous. While I like replicator, replication to me is less applicable to how most people will be using this tool, which is to perform a bulk migration from Polaris 1 to Polaris 2.

[eric-maynard]

In failure cases like this one, do we want the tool to actually continue?

[mansehajsingh]

The idea here was that in the event of failure, you could triage the reasons behind why something was failing from the logs (eg. if a catalog was being migrated, not having credentials setup on the target to access storage), and just re-run the tool "idemppotently" to migrate whatever failed to migrate last time, but leave everything that moved over successfully. Here, maybe we fail the principal roles for some reason, like the list call just had a network failure, but we can still migrate over everything else. This would be especially useful for cron scenarios, because we don't want to tank the whole thing because this part failed. To avoid one off failures, the roadmap for the tool includes introducing retries, etc.

[eric-maynard]

Could we add a config to optionally fail loudly?

[mansehajsingh]

I have added an option --halt-on-failure

[eric-maynard]

Can we add a TODO that it's not needed once the Polaris dependency is upgraded with a version of Polaris that has ETag in the normal response type(s)

[mansehajsingh]

Added! Also added to a bunch of other ETag related classes.

[eric-maynard]

Rather than service this is maybe a manager? From what I understand the normal implementation will just be a local hashmap or something

[mansehajsingh]

I have renamed it.

[eric-maynard]

Is this the only implementation provided? Seems like a HashMap could get us pretty far.

[eric-maynard]

Or a Caffeine cache

[mansehajsingh]

The reason why an in-memory implementation doesn't quite make sense for this is that you'd never really be able to reload this context on following runs of the tool. Since you're only ever retrieving/using the ETag once per table per migration, it is not useful to store it ephemerally.

[eric-maynard]

When is this meant to be thrown?

If we keep this can we get a Javadoc?

[mansehajsingh]

This is meant to be thrown when we get a 304 NOT MODIFIED from the server indicating that table metadata is current for an ETag we provide. I have renamed it for clarity and given it a javadoc.

[eric-maynard]

Oh I see, we also have this implementation as the default one. That seems good. think that's fine, but how are you meant to reconfigure this if it's hard-coded?

[mansehajsingh]

The point of making this configurable wasn't so much a concern for the CLI, but if someone wanted to use the PolarisSynchronizer from somewhere outside the CLI and have it persist ETags to a different persistence store than a file.

[eric-maynard]

Can we initialize the ETagService based on the config here?

[mansehajsingh]

Ok, what I've done is made it so that a custom implementation is configurable via the CLI. Now you can specify an ETagManager type with an option --etag-storage-type (currently NONE, FILE, and CUSTOM) and pass a fluid set of properties via --etag-storage-properties. Is this sort of what you're looking for? I still have doubts as to whether someone would necessarily want to use anything beside a file from the CLI. I just made it configurable so if the code itself was used anywhere someone could easily write and pass in a custom implementation.

[eric-maynard]

We include this arg here which looks specific to one implementation of the ETagService; is the intent to have ETagService be pluggable or to always rely on a file?

[mansehajsingh]

The intent is to have it be pluggable by a client using the PolarisSynchronizer outside of the CLI implementation. When we started building this tool, we had interest for being able to plug the tool's logic into use cases outside of the CLI, eg. internally within a background service, where we could pick a different persistence store than a file.

[mansehajsingh]

Updates:

I have added migration of principals and their assignments to principal roles to the tool. I have gated these behind a flag, --sync-principals so that users have to opt-in to migrate these entities. The reason for this is that the client credentials for these principals get reset on the target instance. Since these are only available at the time of creation, I've made it so that the tool logs the target credentials to stdout.

eg.

WARN  - Principal migration will reset credentials on the target Polaris instance. Principal migration will log the new target Principal credentials to stdout.

...

INFO  - Overwrote principal principal-2 on target. Target credentials: <client-id>:<client-secret> - 1/1

I have added tests for this functionality. Improved the javadocs and made some minor changes. I have updated the design spec with these changes as well.

[mansehajsingh]

I have also added base level build configs so that the tool can build a runnable shadowjar. This will need to be iterated on to add CI, running checks for codestyle etc. now that the build configuration in #1 is not common to the entire repository.

[mansehajsingh]

@dimas-b I have updated the PR description with a link to the design spec!

[travis-bowen]

Looked over the latest changes.

[travis-bowen]

By 'the empty namespace will not be dropped' might clarify to say 'Namespace.empty()' which represents the root namespace - to clarify that a namespace that is empty isn't the same thing.

[mansehajsingh]

I have updated this comment

[travis-bowen]

Feels a little strange to have dropTableWithoutPurge when I believe the iceberg apis are just dropCatalog and then you specify whether purge is requested or not.

not a blocker though so if it's not a quick method name update feel free to skip.

[mansehajsingh]

I named this explicitly to ensure that an implementor never enables purge on a drop of a table. Unfortunately, while I think this is super scary, the default dropTable on the Catalog interface within iceberg is described as "Drop a table and delete all data and metadata files.". Not explicity passing purge=false would be the correct thing to do here because we do not want to clean anything up, we need to register that same metadata file to the target catalog.

[travis-bowen]

Does this need any other properties provided to the CLI? For example - oauth endpoint if it's not standard? Or other forms of access (like just an auth token - if that's supported)

[mansehajsingh]

I have added a new property omnipotent-principal-oauth2-server-uri that defaults to the v1/oauth/tokens endpoint, but now is configurable from the CLI. The current omnipotent principal workflow outputs client credentials at the moment, so I'm not sure an auth token is necessary right now. We should explore this with external OAuth.

[travis-bowen]

It feels a little strange to convert withWriteAccess to implicitly imply target or source - it would be kind of nicer if it's possible for the variable to just maintain the withWriteAccess through the object creation, but if there's good reason we can always start with this.

[mansehajsingh]

No, you're right, this is a bit clunky. I've made it so that the individual commands just pipe the property down and it is no longer implicitly implied by the being the source or target.

[eric-maynard]

LGTM! There's lots of followup work I can imagine, like import/export from files or parallelization, but this will be really useful for anyone migrating from one Polaris instance to another where the metastores are not the same. Thanks for all your work on this!