Catch setting role exception and output a warning instead of stop migration process

[runwuf]

Proposed changes in this pull request

Catch exception when setting role fails and output a warning instead of stop the migration process.
This is a fix for migration from AWS RDS/Aurora as it stops when setting rol_config for rdstopmgr role.

Type (put an x where ever applicable)

• Bug fix: Link to the issue
• Feature (Non-breaking change)
• Feature (Breaking change)
• Documentation Improvement
• Other

Checklist

Please put an x against the checkboxes. Write a small comment explaining if its N/A (not applicable)

• All the tests are passing after the introduction of new changes.
• Added tests respective to the part of code I have written.
• Added proper documentation where ever applicable (in code and README.md).

Optional extra information

[ghost]

Sorry for the time to get this review. Some comments:

• What is the exact error? It's unclear from both the PR text and the commit message; this is a statement that's being performed on the target db as far as I can understand; why should this be a problem when migrating from RDS/Aurora?
• Catching "ProgrammingError" is too broad here IMHO and risks going on even when other issues arise; can't you find a more specific exception?

[runwuf]

@alanfranz-at-work @carobme I've added this new flag -fr , --filtered-roles to filter roles not to be migrated, please let me know your feedback then I'll add to the documentation.

[ghost]

I think the "filtered" route is better, but will need some refinements.

please remember to dismiss stale reviews otherwise we may not notice your PR in the review queue!

[ghost]

If you choose to go for the "filtered roles" route, why do you still need this change? Isn't this overlapping?

[runwuf]

I hope to keep this change, with the filtered roles flag, user needs to know exactly what roles to filter before the migration and supply that to the cli argument, should there be any special setting with this role that is unable to be set with avnadmin's permission it would stop the migration as the exception is not caught. I think failing to set a role should not stop the migration process completely.

[ghost]

The problem is... it's quite a bold statement. We'd need to be sure that such role is not needed in the destination database. If we go on and then we discover after months that the migrated db doesn't work anymore, that's an issue. It's better to fail fast.

Again, this will impact everything: aiven_db_migrate is a library that could be used anywhere (and it's used in aiven-core as well, as a library), we're adding a very generic workaround for a very narrow use case.

This is an AWS-specific thing. Maybe an idea could be add a specific flag to the command line, something like --ignore-source-aws-roles, and you put AWS-specific roles there, and pass them to filtered roles.

[runwuf]

that sounds like a good idea, I could just add rdstopmgr to the filtered_roles if --ignore-source-aws-roles is specified, do you think we should include all the rds* roles when the flag specified? and a similar flag such as --ignore-source-cloudsql-roles? one concern is if aws and google changes the names of these roles, probably not something we want to maintain in the migration tool code...

[ghost]

I don't think this can go in yet :-/

Still pending question:
I still don't understand why this happens and how, can you explain your setup and some details from the rdstopmgr role? Is it got some permission that we don't allow the end-user to assign? Could you paste some more detailed traceback?

[ghost]

The type for filtered_roles is wrong (tuple has fixed size, you need sequence or list or set) and the default argument type doesn't match.

[ghost]

remove f-string as it's not used anymore, please

[ghost]

nit: loggers have their own formatting system, no need to use f-strings.

[ghost]

Again, typing issues

[ghost]

nit: logger formatting

[ghost]

the parser has already the support for default values. but this can't work. should be an empty string as default value, I think.

then, down there, you could do something like

filtered_roles=[ role for role in args.filtered_roles.split(",") if role != "" ] (untested code)

so that the filtered_roles sequence is actually empty when passing it to the main func.

[runwuf]

@alanfranz-at-work
Here's the details of the aws specific issue, when creating a aws rds postgresql or aurora postgresql, both create these users out of the box

 rds_superuser
 rds_replication
 rds_iam
 rds_password
 rds_ad
 rdstopmgr
 postgres
 rdsrepladmin

where this rdstopmgr got the following rolconfig

SELECT rolname,rolconfig FROM pg_catalog.pg_roles WHERE rolname='rdstopmgr';
  rolname  |                                                                                                                                           rolconfig
-----------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 rdstopmgr | {log_statement=all,log_min_error_statement=debug5,log_min_messages=panic,exit_on_error=0,statement_timeout=0,TimeZone=utc,"search_path=pg_catalog, public",auto_explain.log_min_duration=-1,role=rdstopmgr,temp_file_limit=-1,pg_hint_plan.enable_hint=off,default_transaction_read_only=off}

when the migration tool try to set log_statement=all for rdstopmgr role on aiven postgresql it throws psycopg2.errors.InsufficientPrivilege with avnadmin

This can be reproduced by creating a new aws rds or aurora and a new aiven postgresql and run the migration tool. First time the migration tool would stop as soon as it failed to set the log_statement=all for rdstopmgr role, running the migration tool again it will continue as the rdstopmgr role has been created already.