Implement blocksconvert scanner for DynamoDB v9 schema (#3828)

* Implement DynamoDB blocksconvert (v9 schema only)

Remember which series we have processed, so we only emit entries
to the plan once for each series.

Signed-off-by: Bryan Boreham <bjboreham@gmail.com>

Includes: 
* Move IndexEntryProcessor to chunk package, so it can be shared across other packages
* Pre-check if user is allowed, and make use of map of ignored users
* Move IndexReader type beside IndexEntryProcessor
* Stop returning unexported type

Author: bboreham

CHANGELOG.md

@@ -20,6 +20,11 @@
 * [ENHANCEMENT] Distributor: Added distributors ring status section in the admin page. #4151
 * [BUGFIX] Purger: fix `Invalid null value in condition for column range` caused by `nil` value in range for WriteBatch query. #4128
 
+## Blocksconvert
+
+* [ENHANCEMENT] Scanner: add support for DynamoDB (v9 schema only). #3828
+
+
 ## 1.9.0 in progress
 
 * [CHANGE] Fix for CVE-2021-31232: Local file disclosure vulnerability when `-experimental.alertmanager.enable-api` is used. The HTTP basic auth `password_file` can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list. #4129

docs/blocks-storage/convert-stored-chunks-to-blocks.md

@@ -35,26 +35,28 @@ Scanner is started by running `blocksconvert -target=scanner`. Scanner requires
 
 - `-schema-config-file` – this is standard Cortex schema file.
 - `-bigtable.instance`, `-bigtable.project` – options for BigTable access.
+- `-dynamodb.url` - for DynamoDB access.  Example `dynamodb://us-east-1/`
 - `-blocks-storage.backend` and corresponding `-blocks-storage.*` options for storing plan files.
 - `-scanner.output-dir` – specifies local directory for writing plan files to. Finished plan files are deleted after upload to the bucket. List of scanned tables is also kept in this directory, to avoid scanning the same tables multiple times when Scanner is restarted.
 - `-scanner.allowed-users` – comma-separated list of Cortex tenants that should have plans generated. If empty, plans for all found users are generated.
 - `-scanner.ignore-users-regex` - If plans for all users are generated (`-scanner.allowed-users` is not set), then users matching this non-empty regular expression will be skipped.
 - `-scanner.tables-limit` – How many tables should be scanned? By default all tables are scanned, but when testing scanner it may be useful to start with small number of tables first.
 - `-scanner.tables` – Comma-separated list of tables to be scanned. Can be used to scan specific tables only. Note that schema is still used to find all tables first, and then this list is consulted to select only specified tables.
+- `-scanner.scan-period-start` & `-scanner.scan-period-end` - limit the scan to a particular date range (format like `2020-12-31`)
 
 Scanner will read the Cortex schema file to discover Index tables, and then it will start scanning them from most-recent table first, going back.
 For each table, it will fully read the table and generate a plan for each user and day stored in the table.
 Plan files are then uploaded to the configured blocks-storage bucket (at the `-blocksconvert.bucket-prefix` location prefix), and local copies are deleted.
 After that, scanner continues with the next table until it scans them all or `-scanner.tables-limit` is reached.
 
-Note that even though `blocksconvert` has options for configuring different Index store backends, **it only supports BigTable at the moment.**
+Note that even though `blocksconvert` has options for configuring different Index store backends, **it only supports BigTable and DynamoDB at the moment.**
 
 It is expected that only single Scanner process is running.
 Scanner does the scanning of multiple table subranges concurrently.
 
-Scanner exposes metrics with `cortex_blocksconvert_scanner_` prefix, eg. total number of scanned index entries of different type, number of open files (scanner doesn't close currently plan files until entire table has been scanned), scanned BigTable rows and parsed index entries.
+Scanner exposes metrics with `cortex_blocksconvert_scanner_` prefix, eg. total number of scanned index entries of different type, number of open files (scanner doesn't close currently plan files until entire table has been scanned), scanned rows and parsed index entries.
 
-**Scanner only supports schema version v9, v10 and v11. Earlier schema versions are currently not supported.**
+**Scanner only supports schema version v9 on DynamoDB; v9, v10 and v11 on BigTable. Earlier schema versions are currently not supported.**
 
 ### Scheduler
 
@@ -109,5 +111,5 @@ Cleaner should only be deployed if no other Builder is running. Running multiple
 
 The `blocksconvert` toolset currently has the following limitations:
 
-- Scanner supports only BigTable for chunks index backend, and cannot currently scan other databases.
-- Supports only chunks schema versions v9, v10 and v11
+- Scanner supports only BigTable and DynamoDB for chunks index backend, and cannot currently scan other databases.
+- Supports only chunks schema versions v9 for DynamoDB; v9, v10 and v11 for Bigtable.

pkg/chunk/aws/dynamodb_index_reader.go

@@ -0,0 +1,237 @@
+package aws
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"strings"
+	"sync"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/client"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/service/dynamodb"
+	gklog "github.com/go-kit/kit/log"
+	"github.com/go-kit/kit/log/level"
+	"github.com/pkg/errors"
+	"github.com/prometheus/client_golang/prometheus"
+	"golang.org/x/sync/errgroup"
+
+	"github.com/cortexproject/cortex/pkg/chunk"
+)
+
+type dynamodbIndexReader struct {
+	dynamoDBStorageClient
+
+	log        gklog.Logger
+	maxRetries int
+
+	rowsRead prometheus.Counter
+}
+
+// NewDynamoDBIndexReader returns an object that can scan an entire index table
+func NewDynamoDBIndexReader(cfg DynamoDBConfig, schemaCfg chunk.SchemaConfig, reg prometheus.Registerer, l gklog.Logger, rowsRead prometheus.Counter) (chunk.IndexReader, error) {
+	client, err := newDynamoDBStorageClient(cfg, schemaCfg, reg)
+	if err != nil {
+		return nil, err
+	}
+
+	return &dynamodbIndexReader{
+		dynamoDBStorageClient: *client,
+		maxRetries:            cfg.BackoffConfig.MaxRetries,
+		log:                   l,
+
+		rowsRead: rowsRead,
+	}, nil
+}
+
+func (r *dynamodbIndexReader) IndexTableNames(ctx context.Context) ([]string, error) {
+	// fake up a table client - if we call NewDynamoDBTableClient() it will double-register metrics
+	tableClient := dynamoTableClient{
+		DynamoDB: r.DynamoDB,
+		metrics:  r.metrics,
+	}
+	return tableClient.ListTables(ctx)
+}
+
+type seriesMap struct {
+	mutex           sync.Mutex           // protect concurrent access to maps
+	seriesProcessed map[string]sha256Set // map of userID/bucket to set showing which series have been processed
+}
+
+// Since all sha256 values are the same size, a fixed-size array
+// is more space-efficient than string or byte slice
+type sha256 [32]byte
+
+// an entry in this set indicates we have processed a series with that sha already
+type sha256Set struct {
+	series map[sha256]struct{}
+}
+
+// ReadIndexEntries reads the whole of a table on multiple goroutines in parallel.
+// Entries for the same HashValue and RangeValue should be passed to the same processor.
+func (r *dynamodbIndexReader) ReadIndexEntries(ctx context.Context, tableName string, processors []chunk.IndexEntryProcessor) error {
+	projection := hashKey + "," + rangeKey
+
+	sm := &seriesMap{ // new map per table
+		seriesProcessed: make(map[string]sha256Set),
+	}
+
+	var readerGroup errgroup.Group
+	// Start a goroutine for each processor
+	for i, processor := range processors {
+		segment, processor := i, processor // https://golang.org/doc/faq#closures_and_goroutines
+		readerGroup.Go(func() error {
+			input := &dynamodb.ScanInput{
+				TableName:              aws.String(tableName),
+				ProjectionExpression:   aws.String(projection),
+				Segment:                aws.Int64(int64(segment)),
+				TotalSegments:          aws.Int64(int64(len(processors))),
+				ReturnConsumedCapacity: aws.String(dynamodb.ReturnConsumedCapacityTotal),
+			}
+			withRetrys := func(req *request.Request) {
+				req.Retryer = client.DefaultRetryer{NumMaxRetries: r.maxRetries}
+			}
+			err := r.DynamoDB.ScanPagesWithContext(ctx, input, func(page *dynamodb.ScanOutput, lastPage bool) bool {
+				if cc := page.ConsumedCapacity; cc != nil {
+					r.metrics.dynamoConsumedCapacity.WithLabelValues("DynamoDB.ScanTable", *cc.TableName).
+						Add(float64(*cc.CapacityUnits))
+				}
+				r.processPage(ctx, sm, processor, tableName, page)
+				return true
+			}, withRetrys)
+			if err != nil {
+				return err
+			}
+			processor.Flush()
+			level.Info(r.log).Log("msg", "Segment finished", "segment", segment)
+			return nil
+		})
+	}
+	// Wait until all reader segments have finished
+	outerErr := readerGroup.Wait()
+	if outerErr != nil {
+		return outerErr
+	}
+	return nil
+}
+
+func (r *dynamodbIndexReader) processPage(ctx context.Context, sm *seriesMap, processor chunk.IndexEntryProcessor, tableName string, page *dynamodb.ScanOutput) {
+	for _, item := range page.Items {
+		r.rowsRead.Inc()
+		rangeValue := item[rangeKey].B
+		if !isSeriesIndexEntry(rangeValue) {
+			continue
+		}
+		hashValue := aws.StringValue(item[hashKey].S)
+		orgStr, day, seriesID, err := decodeHashValue(hashValue)
+		if err != nil {
+			level.Error(r.log).Log("msg", "Failed to decode hash value", "err", err)
+			continue
+		}
+		if !processor.AcceptUser(orgStr) {
+			continue
+		}
+
+		bucketHashKey := orgStr + ":" + day // from v9Entries.GetChunkWriteEntries()
+
+		// Check whether we have already processed this series
+		// via two-step lookup: first by tenant/day bucket, then by series
+		var seriesSha256 sha256
+		err = decodeBase64(seriesSha256[:], seriesID)
+		if err != nil {
+			level.Error(r.log).Log("msg", "Failed to decode series ID", "err", err)
+			continue
+		}
+		sm.mutex.Lock()
+		shaSet := sm.seriesProcessed[bucketHashKey]
+		if shaSet.series == nil {
+			shaSet.series = make(map[sha256]struct{})
+			sm.seriesProcessed[bucketHashKey] = shaSet
+		}
+		if _, exists := shaSet.series[seriesSha256]; exists {
+			sm.mutex.Unlock()
+			continue
+		}
+		// mark it as 'seen already'
+		shaSet.series[seriesSha256] = struct{}{}
+		sm.mutex.Unlock()
+
+		err = r.queryChunkEntriesForSeries(ctx, processor, tableName, bucketHashKey+":"+seriesID)
+		if err != nil {
+			level.Error(r.log).Log("msg", "error while reading series", "err", err)
+			return
+		}
+	}
+}
+
+func decodeBase64(dst []byte, value string) error {
+	n, err := base64.RawStdEncoding.Decode(dst, []byte(value))
+	if err != nil {
+		return errors.Wrap(err, "unable to decode sha256")
+	}
+	if n != len(dst) {
+		return errors.Wrapf(err, "seriesID has unexpected length; raw value %q", value)
+	}
+	return nil
+}
+
+func (r *dynamodbIndexReader) queryChunkEntriesForSeries(ctx context.Context, processor chunk.IndexEntryProcessor, tableName, queryHashKey string) error {
+	// DynamoDB query which just says "all rows with hashKey X"
+	// This is hard-coded for schema v9
+	input := &dynamodb.QueryInput{
+		TableName: aws.String(tableName),
+		KeyConditions: map[string]*dynamodb.Condition{
+			hashKey: {
+				AttributeValueList: []*dynamodb.AttributeValue{
+					{S: aws.String(queryHashKey)},
+				},
+				ComparisonOperator: aws.String(dynamodb.ComparisonOperatorEq),
+			},
+		},
+		ReturnConsumedCapacity: aws.String(dynamodb.ReturnConsumedCapacityTotal),
+	}
+	withRetrys := func(req *request.Request) {
+		req.Retryer = client.DefaultRetryer{NumMaxRetries: r.maxRetries}
+	}
+	var result error
+	err := r.DynamoDB.QueryPagesWithContext(ctx, input, func(output *dynamodb.QueryOutput, _ bool) bool {
+		if cc := output.ConsumedCapacity; cc != nil {
+			r.metrics.dynamoConsumedCapacity.WithLabelValues("DynamoDB.QueryPages", *cc.TableName).
+				Add(float64(*cc.CapacityUnits))
+		}
+
+		for _, item := range output.Items {
+			err := processor.ProcessIndexEntry(chunk.IndexEntry{
+				TableName:  tableName,
+				HashValue:  aws.StringValue(item[hashKey].S),
+				RangeValue: item[rangeKey].B})
+			if err != nil {
+				result = errors.Wrap(err, "processor error")
+				return false
+			}
+		}
+		return true
+	}, withRetrys)
+	if err != nil {
+		return errors.Wrap(err, "DynamoDB error")
+	}
+	return result
+}
+
+func isSeriesIndexEntry(rangeValue []byte) bool {
+	const chunkTimeRangeKeyV3 = '3' // copied from pkg/chunk/schema.go
+	return len(rangeValue) > 2 && rangeValue[len(rangeValue)-2] == chunkTimeRangeKeyV3
+}
+
+func decodeHashValue(hashValue string) (orgStr, day, seriesID string, err error) {
+	hashParts := strings.SplitN(hashValue, ":", 3)
+	if len(hashParts) != 3 {
+		err = fmt.Errorf("unrecognized hash value: %q", hashValue)
+		return
+	}
+	orgStr = hashParts[0]
+	day = hashParts[1]
+	seriesID = hashParts[2]
+	return
+}

tools/blocksconvert/scanner/index_reader.go renamed to pkg/chunk/index_reader.go

@@ -1,14 +1,15 @@
-package scanner
+package chunk
 
 import (
 	"context"
-
-	"github.com/cortexproject/cortex/pkg/chunk"
 )
 
-// Processor that receives index entries from the table.
+// IndexEntryProcessor receives index entries from a table.
 type IndexEntryProcessor interface {
-	ProcessIndexEntry(indexEntry chunk.IndexEntry) error
+	ProcessIndexEntry(indexEntry IndexEntry) error
+
+	// Will this user be accepted by the processor?
+	AcceptUser(user string) bool
 
 	// Called at the end of reading of index entries.
 	Flush() error

tools/blocksconvert/scanner/bigtable_index_reader.go

@@ -66,7 +66,7 @@ func (r *bigtableIndexReader) IndexTableNames(ctx context.Context) ([]string, er
 //
 // Index entries are returned in HashValue, RangeValue order.
 // Entries for the same HashValue and RangeValue are passed to the same processor.
-func (r *bigtableIndexReader) ReadIndexEntries(ctx context.Context, tableName string, processors []IndexEntryProcessor) error {
+func (r *bigtableIndexReader) ReadIndexEntries(ctx context.Context, tableName string, processors []chunk.IndexEntryProcessor) error {
 	client, err := bigtable.NewClient(ctx, r.project, r.instance)
 	if err != nil {
 		return errors.Wrap(err, "create bigtable client failed")

tools/blocksconvert/scanner/scanner.go

@@ -24,6 +24,7 @@ import (
 	"golang.org/x/sync/errgroup"
 
 	"github.com/cortexproject/cortex/pkg/chunk"
+	"github.com/cortexproject/cortex/pkg/chunk/aws"
 	"github.com/cortexproject/cortex/pkg/chunk/storage"
 	"github.com/cortexproject/cortex/pkg/util/flagext"
 	"github.com/cortexproject/cortex/pkg/util/services"
@@ -202,7 +203,7 @@ func (s *Scanner) running(ctx context.Context) error {
 			continue
 		}
 
-		var reader IndexReader
+		var reader chunk.IndexReader
 		switch c.IndexType {
 		case "gcp", "gcp-columnkey", "bigtable", "bigtable-hashed":
 			bigTable := s.storageCfg.GCPStorageConfig
@@ -213,6 +214,19 @@ func (s *Scanner) running(ctx context.Context) error {
 			}
 
 			reader = newBigtableIndexReader(bigTable.Project, bigTable.Instance, s.logger, s.indexReaderRowsRead, s.indexReaderParsedIndexEntries, s.currentTableRanges, s.currentTableScannedRanges)
+		case "aws-dynamo":
+			cfg := s.storageCfg.AWSStorageConfig
+
+			if cfg.DynamoDB.URL == nil {
+				level.Error(s.logger).Log("msg", "cannot scan DynamoDB, missing configuration", "schemaFrom", c.From.String())
+				continue
+			}
+
+			var err error
+			reader, err = aws.NewDynamoDBIndexReader(cfg.DynamoDBConfig, s.schema, s.reg, s.logger, s.indexReaderRowsRead)
+			if err != nil {
+				level.Error(s.logger).Log("msg", "cannot scan DynamoDB", "err", err)
+			}
 		default:
 			level.Warn(s.logger).Log("msg", "unsupported index type", "type", c.IndexType, "schemaFrom", c.From.String())
 			continue
@@ -297,12 +311,12 @@ func (s *Scanner) running(ctx context.Context) error {
 
 type tableToProcess struct {
 	table  string
-	reader IndexReader
+	reader chunk.IndexReader
 	start  time.Time
 	end    time.Time // Will not be set for non-periodic tables. Exclusive.
 }
 
-func (s *Scanner) findTablesToProcess(ctx context.Context, indexReader IndexReader, fromUnixTimestamp, toUnixTimestamp int64, tablesConfig chunk.PeriodicTableConfig) ([]tableToProcess, error) {
+func (s *Scanner) findTablesToProcess(ctx context.Context, indexReader chunk.IndexReader, fromUnixTimestamp, toUnixTimestamp int64, tablesConfig chunk.PeriodicTableConfig) ([]tableToProcess, error) {
 	tables, err := indexReader.IndexTableNames(ctx)
 	if err != nil {
 		return nil, err
@@ -346,7 +360,7 @@ func (s *Scanner) findTablesToProcess(ctx context.Context, indexReader IndexRead
 	return result, nil
 }
 
-func (s *Scanner) processTable(ctx context.Context, table string, indexReader IndexReader) error {
+func (s *Scanner) processTable(ctx context.Context, table string, indexReader chunk.IndexReader) error {
 	tableLog := log.With(s.logger, "table", table)
 
 	tableProcessedFile := filepath.Join(s.cfg.OutputDirectory, table+".processed")
@@ -469,7 +483,7 @@ func shouldSkipOperationBecauseFileExists(file string) bool {
 
 func scanSingleTable(
 	ctx context.Context,
-	indexReader IndexReader,
+	indexReader chunk.IndexReader,
 	tableName string,
 	outDir string,
 	concurrency int,
@@ -497,7 +511,7 @@ func scanSingleTable(
 		})
 	}
 
-	var ps []IndexEntryProcessor
+	var ps []chunk.IndexEntryProcessor
 
 	for i := 0; i < concurrency; i++ {
 		ps = append(ps, newProcessor(outDir, result, allowed, ignored, series, indexEntries, ignoredEntries))