Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Catch setting role exception and output a warning instead of stop migration process #33

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

runwuf
Copy link
Contributor

@runwuf runwuf commented Apr 1, 2022

Proposed changes in this pull request

Catch exception when setting role fails and output a warning instead of stop the migration process.
This is a fix for migration from AWS RDS/Aurora as it stops when setting rol_config for rdstopmgr role.

Type (put an x where ever applicable)

  • Bug fix: Link to the issue
  • Feature (Non-breaking change)
  • Feature (Breaking change)
  • Documentation Improvement
  • Other

Checklist

Please put an x against the checkboxes. Write a small comment explaining if its N/A (not applicable)

  • All the tests are passing after the introduction of new changes.
  • Added tests respective to the part of code I have written.
  • Added proper documentation where ever applicable (in code and README.md).

Optional extra information

@runwuf runwuf requested a review from a team as a code owner April 1, 2022 00:22
@runwuf runwuf force-pushed the fwu-setting-role-warning branch from 747330d to 135af39 Compare April 1, 2022 00:30
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the time to get this review. Some comments:

  • What is the exact error? It's unclear from both the PR text and the commit message; this is a statement that's being performed on the target db as far as I can understand; why should this be a problem when migrating from RDS/Aurora?
  • Catching "ProgrammingError" is too broad here IMHO and risks going on even when other issues arise; can't you find a more specific exception?

@runwuf runwuf force-pushed the fwu-setting-role-warning branch 2 times, most recently from 0e09045 to 0e871c3 Compare April 26, 2022 18:46
@runwuf runwuf force-pushed the fwu-setting-role-warning branch from 0e871c3 to da827b4 Compare April 26, 2022 18:54
@runwuf
Copy link
Contributor Author

runwuf commented Apr 26, 2022

@alanfranz-at-work @carobme I've added this new flag -fr , --filtered-roles to filter roles not to be migrated, please let me know your feedback then I'll add to the documentation.

@runwuf runwuf requested review from carobme and a user April 26, 2022 23:19
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the "filtered" route is better, but will need some refinements.

please remember to dismiss stale reviews otherwise we may not notice your PR in the review queue!

aiven_db_migrate/migrate/pgmigrate.py Outdated Show resolved Hide resolved
aiven_db_migrate/migrate/pgmigrate.py Outdated Show resolved Hide resolved
message="role created",
)
# display warning when ProgrammingErrorERROR 42501: InsufficientPrivilege: permission denied to set parameter for a role
except psycopg2.errors.InsufficientPrivilege:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you choose to go for the "filtered roles" route, why do you still need this change? Isn't this overlapping?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hope to keep this change, with the filtered roles flag, user needs to know exactly what roles to filter before the migration and supply that to the cli argument, should there be any special setting with this role that is unable to be set with avnadmin's permission it would stop the migration as the exception is not caught. I think failing to set a role should not stop the migration process completely.

Copy link

@ghost ghost Apr 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem is... it's quite a bold statement. We'd need to be sure that such role is not needed in the destination database. If we go on and then we discover after months that the migrated db doesn't work anymore, that's an issue. It's better to fail fast.

Again, this will impact everything: aiven_db_migrate is a library that could be used anywhere (and it's used in aiven-core as well, as a library), we're adding a very generic workaround for a very narrow use case.

This is an AWS-specific thing. Maybe an idea could be add a specific flag to the command line, something like --ignore-source-aws-roles, and you put AWS-specific roles there, and pass them to filtered roles.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that sounds like a good idea, I could just add rdstopmgr to the filtered_roles if --ignore-source-aws-roles is specified, do you think we should include all the rds* roles when the flag specified? and a similar flag such as --ignore-source-cloudsql-roles? one concern is if aws and google changes the names of these roles, probably not something we want to maintain in the migration tool code...

@runwuf runwuf force-pushed the fwu-setting-role-warning branch from 1a6cc73 to 7a98a1c Compare April 28, 2022 06:36
@runwuf runwuf requested a review from a user April 28, 2022 06:38
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this can go in yet :-/

Still pending question:
I still don't understand why this happens and how, can you explain your setup and some details from the rdstopmgr role? Is it got some permission that we don't allow the end-user to assign? Could you paste some more detailed traceback?

self,
conn_info: Union[str, Dict[str, Any]],
filtered_db: Optional[str] = None,
filtered_roles: Tuple[str] = ((), ),
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The type for filtered_roles is wrong (tuple has fixed size, you need sequence or list or set) and the default argument type doesn't match.

if not self._pg_roles:
# exclude system roles
roles = self.c("SELECT quote_ident(rolname) as safe_rolname, * FROM pg_catalog.pg_roles WHERE oid > 16384")
roles = self.c(f"SELECT quote_ident(rolname) as safe_rolname, * FROM pg_catalog.pg_roles WHERE oid > 16384")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove f-string as it's not used anymore, please

for r in roles:
rolname = r["rolname"]

if rolname in self.filtered_roles:
self.log.debug(f'Skipping filtered role: [{r["rolname"]}]')
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: loggers have their own formatting system, no need to use f-strings.

@@ -738,15 +754,20 @@ def __init__(
verbose: bool = False,
mangle: bool = False,
filtered_db: Optional[str] = None,
filtered_roles: Tuple[str] = ((), ),
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, typing issues

# display warning when ProgrammingErrorERROR 42501: InsufficientPrivilege: permission denied to set parameter for a role
except psycopg2.errors.InsufficientPrivilege:
self.log.warning(
f'Setting [{role.rolname}]: [{key}] = [{value}] failed. psycopg2.errors.InsufficientPrivilege'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: logger formatting

@@ -1343,6 +1372,9 @@ def main(args=None, *, prog="pg_migrate"):
else:
logging.basicConfig(level=logging.INFO, format=log_format)

if not args.filtered_roles:
args.filtered_roles = ()
Copy link

@ghost ghost Apr 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the parser has already the support for default values. but this can't work. should be an empty string as default value, I think.

then, down there, you could do something like

filtered_roles=[ role for role in args.filtered_roles.split(",") if role != "" ] (untested code)

so that the filtered_roles sequence is actually empty when passing it to the main func.

@runwuf
Copy link
Contributor Author

runwuf commented Apr 29, 2022

@alanfranz-at-work
Here's the details of the aws specific issue, when creating a aws rds postgresql or aurora postgresql, both create these users out of the box

 rds_superuser
 rds_replication
 rds_iam
 rds_password
 rds_ad
 rdstopmgr
 postgres
 rdsrepladmin

where this rdstopmgr got the following rolconfig

SELECT rolname,rolconfig FROM pg_catalog.pg_roles WHERE rolname='rdstopmgr';
  rolname  |                                                                                                                                           rolconfig
-----------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 rdstopmgr | {log_statement=all,log_min_error_statement=debug5,log_min_messages=panic,exit_on_error=0,statement_timeout=0,TimeZone=utc,"search_path=pg_catalog, public",auto_explain.log_min_duration=-1,role=rdstopmgr,temp_file_limit=-1,pg_hint_plan.enable_hint=off,default_transaction_read_only=off}

when the migration tool try to set log_statement=all for rdstopmgr role on aiven postgresql it throws psycopg2.errors.InsufficientPrivilege with avnadmin

This can be reproduced by creating a new aws rds or aurora and a new aiven postgresql and run the migration tool. First time the migration tool would stop as soon as it failed to set the log_statement=all for rdstopmgr role, running the migration tool again it will continue as the rdstopmgr role has been created already.

@carobme carobme removed their request for review May 18, 2022 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants