Extend syntax for Dynamic Catalogs

[ssheikin]

Description

• Add ALTER CATALOG commands to change name, properties and owner with security checks
  RENAME, SET PROPERTIES implemented
  catalog owner is not supported yet.
  catalog comment is not supported yet.

Additional context and related issues

Trino epic #12709

Release notes

( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
(x) Release notes are required, with the following suggested text:

# Section
* Add support for ALTER CATALOG RENAME statement. ({issue}`22188`)
* Add support for ALTER CATALOG SET PROPERTIES statement. ({issue}`22188`) 

[ssheikin]

@martint @dain @kokosing @nineinchnick @SemionPar please review

[ebyhr]

The current implementation exposes all properties even if it's marked as @ConfigHidden or @ConfigSecuritySensitive. I think we should hide or redact such properties.

[nineinchnick]

@ssheikin could you maybe extract SHOW CREATE CATALOG to a separate PR? @martint would that help with getting the less controversial parts merged sooner?

[piotrrzysko]

I have removed SHOW CREATE CATALOG from this PR. It should be possible to re-add it once the following are merged:

• Add connector SPI for returning redactable properties #24562
• Redact sensitive information in catalog queries #24563

I'm not sure if we want to introduce CREATE CATALOG LIKE (at least not at this stage). One question that comes to mind is how to define access rules for it. According to the SQL specification for CREATE TABLE LIKE:

If a <like clause> is contained in a <table definition>, then the applicable privileges for A shall include
SELECT privilege on the table identified in the <like clause>.

The issue is that we don’t have a SELECT privilege for catalogs.
I’m also not aware of any databases that provide CREATE ... LIKE functionality for anything other than tables. This makes it difficult to infer whether there’s a common approach we could adopt in this scenario.

[github-actions]

This pull request has gone a while without any activity. Tagging the Trino developer relations team: @bitsondatadev @colebow @mosabua

[mosabua]

I am adding the stale-ignore label under the assumption that you are still driving this PR to completion @ssheikin

[ebyhr]

Did you omit lowercase intentionally?

trino> CREATE CATALOG test USING memory;
CREATE CATALOG
trino> ALTER CATALOG test RENAME TO TEST;
RENAME CATALOG
trino> show catalogs;
 Catalog
---------
 TEST
 memory
 system
 tpch
(4 rows)

[piotrrzysko]

I think it was unintentional. I updated it to match how other catalog statements work.

[piotrrzysko]

Current status of this PR: it will no longer include SHOW CREATE CATALOG and CREATE CATALOG LIKE. The former will likely be re-added once redacting security-sensitive information (#24563) is merged. The latter probably needs more discussion. I don’t have permissions to update the PR description. Could one of the maintainers or @ssheikin update it?

[kokosing]

I have updated the description

[hashhar]

how do we ensure this is "transactional"?

[piotrrzysko]

There was a bug that caused activeCatalogs to be updated even when persisting the catalog specification failed. I’ve fixed this.

Currently, I see one problematic scenario:

1. catalogStore.addOrReplaceCatalog(newCatalog) succeeds.
2. catalogStore.removeCatalog(oldCatalog) fails.

If this happens, we end up with two catalogs, and the only way to recover is to manually DROP the old one.

To address this, we might need to extend the SPI by adding CatalogStore.replace(oldCatalog, newCatalog) and requiring implementations to perform this operation transactionally.

[hashhar]

the replace would probably also allow implementing ALTER CATALOG ... RENAME properly instead of as DROP + CREATE.

Let's skip for now and discuss it later.

[hashhar]

@martint @kasiafi do you want to take a look?

The original concerns were addressed by removing both SHOW CREATE CATALOG AND CREATE CATALOG LIKE....

[martint]

If any of the listed properties are not allowed?

[piotrrzysko]

I see that this follows the pattern used for other methods in this file. I believe the idea is that this exception is thrown when accessing a given resource is not allowed.

[martint]

Why is rename modeled as "clone the catalog into a new one, drop the old one" vs adding proper support for renaming catalogs? I'm concerned about the impact of any state that needs to be dropped and re-created, caches, etc., that would otherwise not be necessary to manage with a proper rename.

[piotrrzysko]

Renaming requires the following steps:

1. Creating a new connector instance, with the catalog name passed to ConnectorFactory::create.
2. Updating in-memory data structures in CoordinatorDynamicCatalogManager (activeCatalogs and allCatalogs).
3. Persisting the updated catalog name and version via CatalogStore.
4. Marking the old catalog as inactive and eventually pruning it.

It looks like this is exactly what clone and drop do. Do you think there's a less invasive way to implement rename?

[martint]

Got it. It's not ideal, though. It shouldn't be necessary to re-create the catalog just to give it a new name.

I guess the underlying problem is that ConnectorFactory::create takes a name. We should look into (for a future improvement) what it would take to decouple the instance from its name so that the name is just an entry in the catalog maps.

[piotrrzysko]

I've addressed all the comments. Along the way, I discovered two bugs that should now be fixed:

1. Previously, duplicated properties in ALTER CATALOG ... SET PROPERTIES caused an exception that could expose potentially security-sensitive property values. Now, only the last value is used, matching the behavior of CREATE CATALOG and ALTER TABLE ... SET PROPERTIES.
2. The in-memory state (activeCatalogs) was being updated even when persisting the catalog specification failed. Now, it is updated only when the corresponding CatalogStore operation succeeds.

[piotrrzysko]

I see that this follows the pattern used for other methods in this file. I believe the idea is that this exception is thrown when accessing a given resource is not allowed.

[piotrrzysko]

Renaming requires the following steps:

1. Creating a new connector instance, with the catalog name passed to ConnectorFactory::create.
2. Updating in-memory data structures in CoordinatorDynamicCatalogManager (activeCatalogs and allCatalogs).
3. Persisting the updated catalog name and version via CatalogStore.
4. Marking the old catalog as inactive and eventually pruning it.

It looks like this is exactly what clone and drop do. Do you think there's a less invasive way to implement rename?

[piotrrzysko]

I've inlined this. The logic for rename and alter differs slightly, and I believe it's easier to follow the flow of these operations when all the steps are in one place.

[piotrrzysko]

There was a bug that caused activeCatalogs to be updated even when persisting the catalog specification failed. I’ve fixed this.

Currently, I see one problematic scenario:

1. catalogStore.addOrReplaceCatalog(newCatalog) succeeds.
2. catalogStore.removeCatalog(oldCatalog) fails.

If this happens, we end up with two catalogs, and the only way to recover is to manually DROP the old one.

To address this, we might need to extend the SPI by adding CatalogStore.replace(oldCatalog, newCatalog) and requiring implementations to perform this operation transactionally.

[martint]

A couple of minor comments.

Also, you should squash the first and second commits. Otherwise, the first commit is "broken", since there's no handling of the new statements in the analyzer. Either, it should fail with a proper error saying "RENAME not yet supported" or implement the functionality.

[piotrrzysko]

I've addressed the latest comments.

[piotrrzysko]

@martint Could you please take a look? I addressed your recent comments.

[mosabua]

This will also need docs before merge. Please work with @jhlodin and myself to get that added here or in a separate PR.