ABR1: AtlasBackupService #5708

gsheasby · 2021-10-15T13:41:02Z

Current status (1/11):
The implementation and wiring looks complete and ready for review to me, needs more tests.

Goals (and why): Atlas should provide backup and restore services, so that our internal backup + restore solution is not overly reliant on AtlasDB internals.

Implementation Description (bullets):

Conjurise Timelock's LockImmutableTimestamp endpoint, as it's needed for the backup process
Add AtlasBackupService, which encapsulates the steps of the backup process where communication with Timelock is required
Introduced NamespacedLockToken and PrepareBackupResponse objects to hold the information that is needed by the backup process, without necessarily tying it to "lock immutable timestamp" (so that if we wish to extend this additively, we can do so without a breaking change)

Testing (What was existing testing like? What have you done to improve it?):

Added tests in AtlasBackupServiceTest.

Concerns (what feedback would you like?):

Would like feedback on general approach. Are the method signatures / new request/response objects appropriate?

Where should we start reviewing?:

AtlasBackupService

Priority (whenever / two weeks / yesterday):

early this week

changelog-app · 2021-10-15T13:41:08Z

Generate changelog in `changelog/@unreleased`

Type

Description

Add AtlasBackupService, which encapsulates the steps of the backup process where communication with Timelock and/or knowledge of AtlasDB internals is required.

Check the box to generate changelog(s)

Generate changelog entry

for consistency - do we still need to do this?

gmaretic

Just a high-level comment, before I do a more detailed review -- we should define the backup service as a conjure API. This does require a new version of timelock to be picked up, but it decouples the server-side logic from the client

gmaretic

As noted above, I would structure this differently with the idea that we make calls as efficient as possible and move the logic into timelock itself while exposing a minimal interface needed for backups and not relying on the implementation.
Happy to go into more detail offline if that helps

gmaretic · 2021-10-18T14:30:18Z

atlasdb-backups/src/main/java/com/palantir/atlasdb/backup/AtlasBackupService.java

+    }
+
+    // lock immutable timestamp
+    public PrepareBackupResponse prepareBackup(AuthHeader authHeader, String namespace) {


We should also make this endpoint accept a set of namespaces for efficiency

gmaretic · 2021-10-18T14:32:51Z

atlasdb-backups/src/main/java/com/palantir/atlasdb/backup/AtlasBackupService.java

+    }
+
+    // check immutable ts lock
+    public boolean checkBackupIsValid(AuthHeader authHeader, NamespacedLockToken namespacedLockToken) {


I would even go as far as not having the NamespacedLockToken directly, but some BackupToken that is generated by timelock. Its validity might be tied to the validity of the immutable ts lock for now, but it could change in the future and the client should not have to care about that

gmaretic · 2021-10-18T14:34:21Z

atlasdb-backups/src/main/java/com/palantir/atlasdb/backup/AtlasBackupService.java

+import java.util.Set;
+import org.jetbrains.annotations.NotNull;
+
+public class AtlasBackupService {


Instead of a thick client, most of this logic should live in timelock server

gmaretic · 2021-10-18T14:36:01Z

timelock-api/src/main/conjure/timelock-api.yml

@@ -146,6 +174,11 @@ services:
          namespace: string
          request: ConjureLockRequest
        returns: ConjureLockResponse
+      lockImmutableTimestamp:


we should not expose this

To elaborate: this is not generally something we want to allow users to do -- it is an implementation detail of how transactions work, and exposing it both makes further changes more difficult and could cause reckless users to adversely affect things they don't know about. For example, if someone calls this and holds it for an indefinite amount of time, that blocks sweep from progressing.

This reverts commit 1381ff6.