[ASTS] Preliminaries I: deleteFromAtomicTable

[jeremyk-91]

General

Before this PR: We seek to store per-bucket progress as part of auto-scaling targeted sweep. This is intended to be an atomic table: that is, a table that is written to with checkAndSet (CAS) or putUnlessExists (PUE). However, currently there is no good way to delete entries from such tables, especially in Cassandra - the reason for this has to do with cell writetimes.

CAS and PUE perform writes to a database cell where the key is the cell's row, the column1 is the cell's column key and column2 (or timestamp) is AtlasDbConstants.TRANSACTION_TS = 0L. However, in Cassandra, mutations happen at a given writetime as well. The semantics of KeyValueService::delete apply deletes with a writetime of timestamp + 1, but this is almost certainly less than any wall clock time, meaning that a CAS followed by a simple KVS delete will almost certainly still leave the value that was allegedly deleted readable.

After this PR:

==COMMIT_MSG==
KeyValueService exposes a new endpoint, deleteFromAtomicTable. This performs deletes with a write timestamp chosen by the coordinator, and goes through a Paxos round for serializability.
==COMMIT_MSG==

We use CQL to manipulate atomic table state, and so these writetimes are based on the wall-clock timestamps of the coordinator, though they go through a round of Paxos.

Priority: P2

Concerns / possible downsides (what feedback would you like?):

• There is an API break, though I think KeyValueService is an internal-ish API. We've done this before for setOnce, for instance.
• An alternative was to make this similar to setOnce, but I wanted us to be able to re-store progress: we might eventually want to allow for people to reset the sweep progress (given some leak issues). See the deleteFromAtomicTableCanBeFollowedByCheckAndSet and PutUnlessExists tests.
• An alternative was to not do a Paxos round on deletes, but I expect low contention (cleanup is planned to be a task guarded by an AtlasDB lock) and I'm not sure we want to deal with the possible edge cases where a subsequent put or CAS doesn't work because of clock drift.

Is documentation needed?: No.

Compatibility

Does this PR create any API breaks (e.g. at the Java or HTTP layers) - if so, do we have compatibility?: YES - adding method to KeyValueService. I think it's fine, is an internal API that we have broken before.

Does this PR change the persisted format of any data - if so, do we have forward and backward compatibility?: No

The code in this PR may be part of a blue-green deploy. Can upgrades from previous versions safely coexist? (Consider restarts of blue or green nodes.): Yes

Does this PR rely on statements being true about other products at a deployment - if so, do we have correct product dependencies on these products (or other ways of verifying that these statements are true)?: No

Does this PR need a schema migration? No

Testing and Correctness

What, if any, assumptions are made about the current state of the world? If they change over time, how will we find out?: Nothing in particular.

What was existing testing like? What have you done to improve it?: Added tests for the new endpoint.

If this PR contains complex concurrent or asynchronous code, is it correct? The onus is on the PR writer to demonstrate this.: N/A

If this PR involves acquiring locks or other shared resources, how do we ensure that these are always released?: N/A

Execution

How would I tell this PR works in production? (Metrics, logs, etc.): Per bucket progress can be deleted as part of cleanup

Has the safety of all log arguments been decided correctly?: I think so. CassandraTimestampUtils's are existing, and correct because those queries work on timestamp tables. deleteFromAtomicTable has rows and columns unsafe.

Will this change significantly affect our spending on metrics or logs?: No, don't think so.

How would I tell that this PR does not work in production? (monitors, etc.): Per bucket progress deletion doesn't work

If this PR does not work as expected, how do I fix that state? Would rollback be straightforward?: Rollback

If the above plan is more complex than “recall and rollback”, please tag the support PoC here (if it is the end of the week, tag both the current and next PoC):

Scale

Would this PR be expected to pose a risk at scale? Think of the shopping product at our largest stack.: No

Would this PR be expected to perform a large number of database calls, and/or expensive database calls (e.g., row range scans, concurrent CAS)?: No

Would this PR ever, with time and scale, become the wrong thing to do - and if so, how would we know that we need to do something differently?: Not really aware of this. Of course if we change the DB, but I think that usually needs a new KVS anyway.

Development Process

Where should we start reviewing?: SinglePartitionAtomicTableCellDeleter

If this PR is in excess of 500 lines excluding versions lock-files, why does it not make sense to split it?: 🦆

Please tag any other people who should be aware of this PR:
@jeremyk-91
@sverma30
@raiju

[changelog-app]

Generate changelog in changelog/@unreleased

What do the change types mean?

• feature: A new feature of the service.
• improvement: An incremental improvement in the functionality or operation of the service.
• fix: Remedies the incorrect behaviour of a component of the service in a backwards-compatible way.
• break: Has the potential to break consumers of this service's API, inclusive of both Palantir services
  and external consumers of the service's API (e.g. customer-written software or integrations).
• deprecation: Advertises the intention to remove service functionality without any change to the
  operation of the service itself.
• manualTask: Requires the possibility of manual intervention (running a script, eyeballing configuration,
  performing database surgery, ...) at the time of upgrade for it to succeed.
• migration: A fully automatic upgrade migration task with no engineer input required.

Note: only one type should be chosen.

How are new versions calculated?

• ❗The break and manual task changelog types will result in a major release!
• 🐛 The fix changelog type will result in a minor release in most cases, and a patch release version for patch branches. This behaviour is configurable in autorelease.
• ✨ All others will result in a minor version release.

Type

• Feature
• Improvement
• Fix
• Break
• Deprecation
• Manual task
• Migration

Description

KeyValueService exposes a new endpoint, deleteFromAtomicTable. This performs deletes with a write timestamp chosen by the coordinator, and goes through a Paxos round for serializability.

Check the box to generate changelog(s)

• Generate changelog entry

[jeremyk-91]

thought: having TransactionKeyValueService is nice here, because user transactions don't get to call this without doing scary stuff

[jeremyk-91]

for some reason, Spotless applied these manipulations - I believe they don't have any semantic changes.