release-22.1: spanconfig: limit # of tenant span configs #79627

blathers-crl · 2022-04-08T00:29:49Z

Backport 1/1 commits from #77337 on behalf of @irfansharif.

/cc @cockroachdb/release

Fixes #70555. In order to limit the number of span configs a tenant's
able to install, we introduce a tenant-side spanconfig.Limiter. It
presents the following interface:

// Limiter is used to limit the number of span configs installed by
// secondary tenants. It considers the committed and uncommitted
// state of a table descriptor and computes the "span" delta, each
// unit we can apply a configuration over. It uses these deltas to
// maintain an aggregate counter, informing the caller if exceeding
// the configured limit.
type Limiter interface {
  ShouldLimit(
    ctx context.Context, txn *kv.Txn,
    committed, uncommitted catalog.TableDescriptor,
  ) (bool, error)
}

This limiter only applies to secondary tenants. The counter is
maintained in a newly introduced (tenant-only) system table, using the
following schema:

CREATE TABLE system.span_count (
  singleton  BOOL DEFAULT TRUE,
  span_count INT NOT NULL,
  CONSTRAINT "primary" PRIMARY KEY (singleton),
  CONSTRAINT single_row CHECK (singleton),
  FAMILY "primary" (singleton, span_count)
);

We need just two integration points for spanconfig.Limiter:

Right above CheckTwoVersionInvariant, where we're able to hook into
the committed and to-be-committed descriptor state before txn commit.
In the GC job, when gc-ing table state. We decrement a table's split
count when GC-ing the table for good.

The per-tenant span config limit used is controlled by a new tenant
read-only cluster setting: spanconfig.tenant_limit. Multi-tenant cluster
settings (#73857) provides the infrastructure for the host tenant to be
able to control this setting cluster wide, or to target a specific
tenant at a time.

We also need a migration here, to start tracking span counts for
clusters with pre-existing tenants. We introduce a migration that scans
over all table descriptors and seeds system.span_count with the right
value. Given cluster version gates disseminate asynchronously, we also
need a preliminary version to start tracking incremental changes.

It's useful to introduce the notion of debt. This will be handy if/when
we lower per-tenant limits, and also in the migration above since it's
possible for pre-existing tenants to have committed state in violation
of the prescribed limit. When in debt, schema changes that add new
splits will be rejected (dropping tables/indexes/partitions/etc. will
work just fine).

When attempting a txn that goes over the configured limit, the UX is as
follows:

> CREATE TABLE db.t2(i INT PRIMARY KEY);
pq: exceeded limit for number of table spans

Release note: None
Release justification: low risk, high benefit change

Release justification:

Fixes #70555. In order to limit the number of span configs a tenant's able to install, we introduce a tenant-side spanconfig.Limiter. It presents the following interface: // Limiter is used to limit the number of span configs installed by // secondary tenants. It takes in a delta (typically the difference // in span configs between the committed and uncommitted state in // the txn), uses it to maintain an aggregate counter, and informs // the caller if exceeding the prescribed limit. type Limiter interface { ShouldLimit( ctx context.Context, txn *kv.Txn, delta int, ) (bool, error) } The delta is computed using a static helper, spanconfig.Delta: // Delta considers both the committed and uncommitted state of a // table descriptor and computes the difference in the number of // spans we can apply a configuration over. func Delta( ctx context.Context, s Splitter, committed, uncommitted catalog.TableDescriptor, ) (int, error) This limiter only applies to secondary tenants. The counter is maintained in a newly introduced (tenant-only) system table, using the following schema: CREATE TABLE system.span_count ( singleton BOOL DEFAULT TRUE, span_count INT NOT NULL, CONSTRAINT "primary" PRIMARY KEY (singleton), CONSTRAINT single_row CHECK (singleton), FAMILY "primary" (singleton, span_count) ); We need just two integration points for spanconfig.Limiter: - Right above CheckTwoVersionInvariant, where we're able to hook into the committed and to-be-committed descriptor state before txn commit; - In the GC job, when gc-ing table state. We decrement a table's split count when GC-ing the table for good. The per-tenant span config limit used is controlled by a new tenant read-only cluster setting: spanconfig.tenant_limit. Multi-tenant cluster settings (#73857) provides the infrastructure for the host tenant to be able to control this setting cluster wide, or to target a specific tenant at a time. We also need a migration here, to start tracking span counts for clusters with pre-existing tenants. We introduce a migration that scans over all table descriptors and seeds system.span_count with the right value. Given cluster version gates disseminate asynchronously, we also need a preliminary version to start tracking incremental changes. It's useful to introduce the notion of debt. This will be handy if/when we lower per-tenant limits, and also in the migration above since it's possible for pre-existing tenants to have committed state in violation of the prescribed limit. When in debt, schema changes that add new splits will be rejected (dropping tables/indexes/partitions/etc. will work just fine). When attempting a txn that goes over the configured limit, the UX is as follows: > CREATE TABLE db.t42(i INT PRIMARY KEY); pq: exceeded limit for number of table spans Release note: None Release justification: low risk, high benefit change Release note: None

blathers-crl · 2022-04-08T00:29:52Z

cockroach-teamcity · 2022-04-08T00:30:03Z

This change is

irfansharif · 2022-04-08T00:36:47Z

Has to merge after #79598.

ajwerner

Reviewed 36 of 70 files at r1, all commit messages.
Reviewable status: complete! 1 of 0 LGTMs obtained

blathers-crl bot requested a review from a team as a code owner April 8, 2022 00:29

blathers-crl bot requested review from a team April 8, 2022 00:29

blathers-crl bot requested a review from a team as a code owner April 8, 2022 00:29

blathers-crl bot force-pushed the blathers/backport-release-22.1-77337 branch from b14c0cc to 4823f8c Compare April 8, 2022 00:29

blathers-crl bot requested review from dt, ajwerner, arulajmani and irfansharif and removed request for a team April 8, 2022 00:29

blathers-crl bot added blathers-backport This is a backport that Blathers created automatically. O-robot Originated from a bot. labels Apr 8, 2022

blathers-crl bot assigned irfansharif Apr 8, 2022

ajwerner mentioned this pull request Apr 8, 2022

release-22.1: sql: fix bug in ALTER INDEX ... PARTITION BY #79598

Merged

irfansharif merged commit 9b4ab01 into release-22.1 Apr 8, 2022

irfansharif deleted the blathers/backport-release-22.1-77337 branch April 8, 2022 14:19

ajwerner reviewed Apr 8, 2022

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

release-22.1: spanconfig: limit # of tenant span configs #79627

release-22.1: spanconfig: limit # of tenant span configs #79627

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

release-22.1: spanconfig: limit # of tenant span configs #79627

release-22.1: spanconfig: limit # of tenant span configs #79627

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!