Fix Rule Evaluation Logic for Handling Multiple Rules of the Same Type - Part 2 (Data Backfilling) #2206
Conversation
Vyom-Yadav
force-pushed
the
issue-1609-data-backfilling
branch
from
f7e83c6 to
7692134
Compare
This comment was marked as resolved.
This comment was marked as resolved.
Vyom-Yadav
force-pushed
the
issue-1609-data-backfilling
branch
from
7692134 to
6712735
Compare
Vyom-Yadav
changed the title
Vyom-Yadav
force-pushed
the
issue-1609-data-backfilling
branch
8 times, most recently
from
23ffdfb to
753233e
Compare
…e - Part 2 (Data Backfilling) * entity_profiles.contextual_rules are modified to have rule name key with rule_type or 'rule_type-rand_uuid' in case of collisions * Existing rule_evaluations.rule_name columns are filled by referring to entity_profiles.contextual_rules[*].name key * Handlers and Sql queries are updated to reflect not null constraint on rule_evaluations.rule_name column * migration_profile_backfill_log table is created to support migrating down Signed-off-by: Vyom-Yadav <[email protected]>
Vyom-Yadav
force-pushed
the
issue-1609-data-backfilling
branch
from
753233e to
9ecd282
Compare
| INSERT | ||
| INTO migration_profile_backfill_log (profile_id) |
There was a problem hiding this comment.
I like this approach, thank you!
| @@ -2,7 +2,7 @@ | |||
| -- name: UpsertRuleEvaluations :one | |||
| INSERT INTO rule_evaluations ( | |||
| profile_id, repository_id, artifact_id, pull_request_id, rule_type_id, entity, rule_name | |||
| ) VALUES ($1, $2, $3, $4, $5, $6, sqlc.narg(rule_name)) | |||
| ) VALUES ($1, $2, $3, $4, $5, $6, $7) | |||
There was a problem hiding this comment.
It took me a bit to verify. this, so I'm going to record it. I think this is safe because the migration script runs before the server update.
Because migrations run before the server code update, we could have the server attempting to insert rule_name == NULL from https://github.com/stacklok/minder/blob/b7fb73a53159a74dd6307a4dd7de4c614ec8aef1/internal/engine/eval_status.go#L129 unless we've backfilled the table. Once the table is backfilled, that shouldn't happen, and all the following rule evaluations should have name set:
Path:
EvalStatusParamsis set here increateEvalStatusParamsfrom theProfile.Ruleand not otherwise.getEvaluatoris the only caller ofcreateEvalStatusParams, which is a pass-through from theTraverseRulesinevalEntityEvent.TraverseRulesruns the supplied function over each rule in therelevantset computed byGetRulesForEntity, which selects one ofrepository,build_environment,pull_requests, orartifactsfrom the lists of rules in the Profile and returns them without edit.- We get the set of Profiles from
ListProfileByProjectIDpassed throughMergeDatabaseListIntoProfiles - While
ListProfilesByProjectIDis auto-generated,MergeDatabaseListIntoProfilescallsrowInfoToProfileMapto fill out the rules in the proto. rowInfoToProfileMapunpacks the list of rules stored as JSON in the database, and returns them, which doesn't set rule names if not already present.- The migration is selecting the rows FOR UPDATE, which should hopefully block any attempts to evaluate rules while the migration is in progress.
There was a problem hiding this comment.
I think this is safe because the migration script runs before the server update.
...
The migration is selecting the rows FOR UPDATE, which should hopefully block any attempts to evaluate rules while the migration is in progress.
Exactly. Even if some rule is under evaluation and has fetched all required data from DB before the migration script began, the migration script would lock the tables and set the NOT NULL constraint on the column. So after the migration is complete and the engine gets access to the table, upserts would fail if they don't have a rule_name.
To prevent losing those events to some extent, we have retry mechanisms. In subsequent tries, the server would fetch rule_name from the DB to perform a legal operation.
Fixes #1609
Changes and implications:
entity_profiles.contextual_rulesare modified to have rule name key withrule_typeorrule_type-rand_uuidin case of collisionsExisting null
rule_evaluations.rule_namecolumns are filled by referring tonamekey inentity_profiles.contextual_rulesHandlers and Sql queries are updated to reflect not null constraint on
rule_evaluations.rule_namecolumnmigration_profile_backfill_logtable is created to support migrating downThe rules are reconciled by the subsequent
InternalProfileInitEventTopic, andExecuteEntityEventTopicevents. Profiles/Repositories not receiving these types of events won't be reconciled to update them to the latest state.Reconciliation can potentially open new PRs/Security Advisories, etc., as the duplicate rule's row (entry) was overridden by the other rule of the same type.