PROD-2734 - initial partitioning support (user-defined windows)

[adamsachs]

Closes PROD-2734

Description Of Changes

• Depends on Initial support for DatasetCollection partitioning specifications fideslang#21
• Accepts array of strings in a fides_meta.partitioning.where_clauses (maybe there's a better name?) field on the DatasetCollection config, which are (for BQ DSR execution) injected into access and erasure queries
• if configured on a BQ dataset collection, DSR execution now executes one query per specified where_clauses string per node per DSR request, rather that just one query per node per DSR request.
• validation of where_clauses input to prevent SQL injection

Configuration is within fides_meta of a DatasetCollection, e.g.:

dataset:
  - fides_key: bigquery_example_test_dataset_with_partitioning
    name: BigQuery Example Test Dataset Demonstrating Partitioning
    description: Example of a BigQuery dataset containing a variety of related tables like customers, products, addresses, etc.
    collections:
      - name: customer_partitioned
        fides_meta:
          partitioning:
            where_clauses: [
                "`created` > DATETIME_SUB(CURRENT_DATETIME(), INTERVAL 1000 DAY) AND `created` <= CURRENT_DATETIME()",
                "`created` > TIMESTAMP_SUB(CURRENT_DATETIME(), INTERVAL 2000 DAY) AND `created` <= TIMESTAMP_SUB(CURRENT_DATETIME(), INTERVAL 1000 DAY)"
            ]
        fields:
       ...

• note that where_clauses values must strictly match an expected format/structure:

"`column_name` >(=) [value expression] (AND `column_1` <(=) [value expression])"

or

"`column_name` <(=) [value expression] (AND `column_1` >(=) [value expression])"

Code Changes

• update dataset <--> request graph (de)serialization to correctly extract partitioning metadata from dataset config
• perform rigid validation of where_clauses values in the partitioning metadata to prevent malicious string injection
• ensure partitioning can only be used with BigQuery DSR execution for now, as this is still an experimental feature
• provide a hook in generic retrieve_data to call a partitioned_retrieval method if the collection has partitioning defined (and the connector supports partitioning, i.e. only BigQuery for now)
• implement the partitioned_retrieval hook in the BigQueryConnector to support executing multiple partitioned queries for DSR access requests against BQ
• also update existing BQ-specific methods to support executing multiple partitioned queries for DSR erasure (update/delete) requests against BQ

Steps to Confirm

• testing steps here: https://ethyca.atlassian.net/wiki/spaces/EN/pages/3316875290/Testing+BQ+DSR+Partitioning

Pre-Merge Checklist

• All CI Pipelines Succeeded
• Documentation:
  • documentation complete, PR opened in fidesdocs
  • documentation issue created in fidesdocs
  • if there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
• Issue Requirements are Met
• Relevant Follow-Up Issues Created
• Update CHANGELOG.md
• For API changes, the Postman collection has been updated
• If there are any database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
fides-plus-nightly	⬜️ Ignored (Inspect)	Visit Preview		Oct 4, 2024 4:17am

[adamsachs]

some self review -

[adamsachs]

might be nice to allow proper ints here, but we do also need to support timestamps, and easiest for now is just to accept generic strings...

[galvana]

Not sure if this is where the issue is or downstream from this but I ran into the same thing for the SaaS config. You can do this:

class UserDefinedPartitionWindow(BaseModel):
    """Defines a user-defined partition window"""

    start: Union[int, str]
    end: Union[int, str]
    start_inclusive: bool = True
    end_inclusive: bool = True

Pydantic will try to parse as an int first, and if that doesn't work it will treat it as a string

[adamsachs]

TODO: update once ethyca/fideslang#21 is finalized and merged

[adamsachs]

TODO: could be cleaner

[adamsachs]

TODO: probably could be cleaner

[adamsachs]

same as before, just moved down here into the else.

[adamsachs]

injection of the partitioning vars, a new piece

[adamsachs]

same as before

[adamsachs]

injection of partitioning vars, the new piece

[adamsachs]

whoops, need to clean up. mistake.

[cypress]

fides    Run #10306

Run Properties:   Passed #10306  •  2c672a21ae ℹ️: Merge 445def52ba7bb05fb87210978ede924c1a72f4cc into eb9ba5ee372b244db58c108ead82...

Project	fides
Branch Review	refs/pull/5325/merge
Run status	Passed #10306
Run duration	00m 39s
Commit	2c672a21ae ℹ️: Merge 445def52ba7bb05fb87210978ede924c1a72f4cc into eb9ba5ee372b244db58c108ead82...
Committer	Adam Sachs
View all properties for this run ↗︎

---

Test results
Failures	0
Flaky	0
Pending	0
Skipped	0
Passing	4
View all changes introduced in this branch ↗︎

[galvana]

Not sure if this is where the issue is or downstream from this but I ran into the same thing for the SaaS config. You can do this:

class UserDefinedPartitionWindow(BaseModel):
    """Defines a user-defined partition window"""

    start: Union[int, str]
    end: Union[int, str]
    start_inclusive: bool = True
    end_inclusive: bool = True

Pydantic will try to parse as an int first, and if that doesn't work it will treat it as a string

[galvana]

Make sure to change self.node.address.collection to self._generate_table_name() once you pull in my change

Suggested change

	return f"UPDATE {self.node.address.collection} SET {', '.join(update_clauses)} WHERE {' AND '.join(pk_clauses + ([PARTITION_CLAUSE_TEMPLATE] if self.partitioning else []))}"
	return f"UPDATE {self._generate_table_name()} SET {', '.join(update_clauses)} WHERE {' AND '.join(pk_clauses + ([PARTITION_CLAUSE_TEMPLATE] if self.partitioning else []))}"

[adamsachs]

ah ok, well i've done this on the abstract class, but looks like i missed updating the subclasses that override this method - most importantly, bigquery.

thanks for calling that out!

[adamsachs]

oh i see, i think this also changed on the delete override PR 👍

probably was a bit more overlap here than anticipated...

[galvana]

Same as above, let's add another test to make sure we can generate a namespaced version of the table name

[adamsachs]

fall back to existing behavior if no partitioning

[adamsachs]

fall back to existing behavior if no partitioning

[pattisdr]

generally this makes sense - we're trying to support querying on a partitioned database with a very narrow scope, bigquery only to start, and the where clause is defined with bigquery syntax in the yaml that is added directly -

Given all that, I'd lean to keeping everything defined on the bigquery connector/bigquery queryconfig for now, as this is a super-specific implementation

[pattisdr]

This reminds me, if we end up removing support for the where clauses since it's experimental, we'll have to do it in a way that still allows DSR's in process to run:

DSR 3.0 (which our customers should all be running by now) stores a representation of this collection on the requesttask backing the node in the database, so we don't have to rebuild the graph. If details change about the partitioning, there could still be requesttasks that haven't run in the database with the old partitioning configuration which would fail when they are queued by the worker and the worker goes to rehydrate the collection off of the request task.

[adamsachs]

thanks for calling that out, great edge case to consider. i don't think there's a whole lot to do right now to anticipate that future state, beyond some code comments to warn the future dev that they'll need to handle that backward compatible case, right? if you have other ideas, would love to hear them to make this as seamless as possible a transition in the (hopefully near) future!

[pattisdr]

just a callout would be fine!

[pattisdr]

this seems useful, I could have added that for bigquery row-level deletes as well

[pattisdr]

Since we for sure only support bigquery at the moment, it felt too early to move this to the generic location, but that's just my opinion

[pattisdr]

might be able to dry some of this up with the update/deletes, just a thought

[adamsachs]

i hear you and agree, but the codepaths were already a bit duplicated to begin with, and it'll take a bit more effort to pull apart at the moment. i'll mark as a TODO for us to come back to generally DRYing up the two methods in a future iteration 👍

[pattisdr]

This feels like it shouldn't be here yet while it's only supported for bigquery -

[adamsachs]

that's fair, but i'd generally prefer not to create parallel implementations for retrieve_data (for maintenance purposes) and i'm not seeing a simple way to refactor this otherwise - but maybe i'm not being creative enough!

[pattisdr]

what is field_1 and field_2? can you add an example?

EDIT okay got it, parsing your PARTITION_CLAUSE_PATTERN now

[pattisdr]

what is there is no match then, something didn't fit the pattern and the match was None?

EDIT: nvm, that would be picked up in the if matching:

[pattisdr]

are all partitioning clauses expected to be on the same field as well, or do we just care about the pairs?

[adamsachs]

what is field_1 and field_2? can you add an example?

EDIT okay got it, parsing your PARTITION_CLAUSE_PATTERN now

let me still clarify things with some comments so this is easier to understand from a quick glance 👍

are all partitioning clauses expected to be on the same field as well, or do we just care about the pairs?

yeah, i do think we'd expect that, but i'm not sure that checking for it really helps in preventing malicious input. granted, i don't have a super concrete example of the type of malicious input that the current check prevents, but it does at least put some more bounds on each of the clause strings. i wasn't think that checking across strings provides a whole lot of value - but i guess it could help prevent/clarify user error?

just typing out my thoughts...

[pattisdr]

is any of this bigquery specific? if so we might note that

[adamsachs]

yeah good call, i think the back ticks may be BQ-specific, and we're already scoped down to BQ in other respects so let me just make that more explicit 👍

[pattisdr]

Reviewing/testing -

[pattisdr]

test_bigquery_example_data looks like a new test failure? that should be quick to resolve, I think it's just looking at table names

[pattisdr]

great this helps add confidence

[pattisdr]

V. helpful

[pattisdr]

I think you've done what you can given that we're allowing a where clause to be entered directly here! Lots of good checks.

[pattisdr]

I do like this, thanks

[codecov]

Codecov Report

Attention: Patch coverage is 38.09524% with 52 lines in your changes missing coverage. Please review.

Project coverage is 85.31%. Comparing base (eb9ba5e) to head (445def5).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
src/fides/api/service/connectors/query_config.py	20.00%	27 Missing and 1 partial ⚠️
src/fides/api/service/connectors/sql_connector.py	9.09%	18 Missing and 2 partials ⚠️
src/fides/api/graph/config.py	83.33%	2 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5325      +/-   ##
==========================================
- Coverage   85.44%   85.31%   -0.14%     
==========================================
  Files         378      378              
  Lines       23896    23971      +75     
  Branches     3189     3209      +20     
==========================================
+ Hits        20419    20450      +31     
- Misses       2892     2931      +39     
- Partials      585      590       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[adamsachs]

merging as all CI failures already exist in main 👍

[cypress]

fides    Run #10305

Run Properties:   Passed #10305  •  c8f5b1f365: PROD-2734 - initial partitioning support (user-defined windows) (#5325)

Project	fides
Branch Review	main
Run status	Passed #10305
Run duration	00m 39s
Commit	c8f5b1f365: PROD-2734 - initial partitioning support (user-defined windows) (#5325)
Committer	Adam Sachs
View all properties for this run ↗︎

---

Test results
Failures	0
Flaky	0
Pending	0
Skipped	0
Passing	4
View all changes introduced in this branch ↗︎