[core] Support commit isolation level

[BsoBird]

Purpose

For the file system catalog, there are many situations where we need to support stricter commit policies.This is especially true for third-party databases that use paimon as their underlying storage.

We define the commit isolation level option to control the behavior.

Linked issue: none

1. Disable retry after failed commits in strict mode
2. In strict mode, reject and clean up potentially dirty commits.
3. Categorized possible exceptions and adjusted the exception handling logic.
4. Supports concurrency control.
5. In strict mode, do not use any hint file.

Tests

See FileStoreCommitTest.java.

API and Format

None

Documentation

Glossary:

• Dirty-commit: commitSnapshotId < CurrentLatestSnapshotId - snapshot.num-retained.max && commit-success=True && snapshotManager.exists(commitSnapshotId)=True && (commitSnapshotId not belong any tag/branch)

Flow chat (use strict mode):

    graph TD
START[startCommit] -->USE-LOCK{USE-LOCK?}
USE-LOCK -->|YES| COMMIT_WITH_LOCK{COMMIT_WITH_LOCK_SUCCESS}
USE-LOCK -->|NO| CHECK-BEFORE{CHECK-BEFORE-SUCCESS?}
CHECK-BEFORE -->|NO| COMMIT_FAILED
CHECK-BEFORE -->|YES| COMMIT{COMMIT_SUCCESS?}
COMMIT --> |commit state unknown| COMMIT_FAILED
COMMIT --> |not success| COMMIT_FAILED
COMMIT --> |YES| IS_DIRTY_COMMIT{IS_DIRTY_COMMIT?}
IS_DIRTY_COMMIT --> |YES| COMMIT_FAILED
IS_DIRTY_COMMIT --> |NO| COMMIT_SUCCESS
COMMIT_WITH_LOCK --> |failed-normal| RETRY
COMMIT_WITH_LOCK --> |failed - strict mode| COMMIT_FAILED
COMMIT_WITH_LOCK --> |success| COMMIT_SUCCESS
RETRY --> END
COMMIT_SUCCESS --> END
COMMIT_FAILED --> END

Loading

[BsoBird]

@JingsongLi Hi. Can you check this? Tks.

[BsoBird]

After throwing an IO exception, it's a good idea to check it again.Currently, this checking strategy is not fully applicable to object storage systems and may result in false positives.However, as the industry evolves, object storage systems are starting to support mutex operations.In the long run, I think we need to add check operations.

However, please note that we can only check for IO exceptions after they are caught, because they are thrown by the server, and we should not do any checking for client-side exceptions.

[JingsongLi]

This can be a separate PR?

[BsoBird]

This can be a separate PR?

sure

[BsoBird]

If the rename operation succeeds, we should ignore any exceptions thrown after that.

[BsoBird]

If Serializable is turned on, and the locking service is not used, we should delete all HINT files, as they are always unreliable.

[BsoBird]

The previous method name wasn't clear enough, so I've replaced it

[BsoBird]

If a dirty commit occurs, the previous processing logic throws an exception, which affects the running of the test case.

[BsoBird]

If any exception occurs during the commit process, we should throw a CommitStateUnknownException and not clean up any data.

[BsoBird]

Maybe cleaning up dirty commits will interfere with the creation of branch/tag. But since we are always cleaning up snapshots that exceed snapshot.num-retained.max.This shouldn't have much of an impact. After all, if we keep a snapshot that matches the characteristics of a dirty commit, we may never find the right time to delete it.

[BsoBird]

Here we need to add the logic of whether the snapshot belongs to a branch or tag.PR 3787 (#3787) provides this functionality, I'm not sure if I need to merge it with that PR?

[BsoBird]

For now I'm starting by porting some of the code from 3787 to the current PR.

[JingsongLi]

Thanks @BsoBird ! I need time to look this, next week will give your feedback.

[JingsongLi]

Hi @BsoBird , I have no idea why the changes is so big...

In my imagination, we only need one branch to complete the new commit mode.
Please note that this is the core code, and any modifications may result in serious consequences.