Persist Job Failure summaries for failed and cancelled attempts

[pmossman]

What

This PR introduces a schema for capturing information about failures that occur during sync jobs.

How

The ConnectionManagerWorkflow collects failure information and persists it to the Attempts table when an attempt fails or is cancelled. The DefaultReplicationWorker now records failures thrown from within the source and/or destination, and includes failure information in the ReplicationOutput. This failure information is then written to StandardSyncOutput in the replication activity, so that the ConnectionManagerWorkflow can access and persist it.

The ConnectionManagerWorkflow also catches all childWorkflowExceptions from the sync workflow. If the exception originated from an activity (for example, normalization), then the failure source is identified from the ActivityFailure. Otherwise, the failure source is recorded as 'unknown'.

Recommended reading order

I recommend reading commit by commit

Misc

• WIP as I still need to write tests, I wanted to get this up for feedback ASAP
• This PR doesn't include failure recording in the old scheduler, should we add failure recording logic to the old schedulerApp code as well? I have a local branch with some progress on the old scheduler but depending on the timeline for switching over to the new one, it may not be worth pursuing.
• I haven't written a migration to add the new column, so it just logs what it would have persisted for now.
• This is branched off of Benoit's WIP branch, I'll periodically rebase onto his to keep things up to date

[cgardens]

looks great to me.

i left one sort of open question about how we should track retriability. i don't think we need to block on it as it should be easy enough to add in after the fact.

[cgardens]

it should refer to whatever uuid we use in the user table in the cloud database i think.

[cgardens]

@edgao was sharing some feelings on this field that made a lot of sense to me (that was missing in the original spec). Parker, I also think I'm contradicting something I said to you last week, so sorry for the mind change. That we should have the concepts of: quarantine for the user to fix it, quarantine for airbyte to fix it, retry, unknown. would love to figure out how to add that in this struct some how. @edgao wdyt?

[edgao]

Could failureType be directly replaced with the error class? And then remove the retryable entry. Something along these lines:

• unknown -> unknown
• permissionError -> userError
• systemRestart -> retry (?)
• zombie -> airbyteError (?)
• manualCancellation -> notAnError

I'm kind of torn on whether to keep the more granular failureType - on the one hand, it could be interesting to display stats like "in the last 30 days, 60% of your errors were permissions-related" (maybe this could nudge users to have better processes around managing access, or encourage us to build certain features, etc). But this enum feels like it could easily become a very long list that contains every error under the sun, up to and including targetWidgetDidNotExistBecauseSourceWhizbangWasImproperlyCalibrated.

[pmossman]

I think this comment thread from the original tech spec is very relevant: https://docs.google.com/document/d/1vy2iWmiGK5gptLCJVmzYckQj24zFuwF6C_Q-YIlP0is/edit?disco=AAAATDVxx6o .

No worries about contradicting anything! It makes sense that we'd want to iterate on what we want to do with the schema now that we can see how it'll actually interact with and exist in the codebase. I think replacing retryable (boolean) with an enum that captures those different resolution paths is a great call.

failureType definitely feels hard to keep reasonably scoped. @edgao when you say "error class", do you mean like the actual Exception.class value of the original exception?

[cgardens]

cool. enum makes sense to me!

[edgao]

sorry, error class as in unknown/userError/retry/etc. Wanted to avoid overloading the term failureType in my comment but am bad at naming >.>

That comment thread does look relevant! Gonna put thoughts here b/c gdoc comments aren't great for longform discussion IMO.

user intervention

@cgardens does "quarantined for TS" exist in this usecase? To my understanding, we (airbyte) don't really get involved in actually configuring anything, and everything is just configured by the user, so there's no real TS-equivalent. But maybe I'm missing something there.

more granular failure reasons

I strongly believe the translation from "granular failure reason" (e.g. permissionError) to "high-level failure handling strategy" (userError + user-friendly message) should live as close to the source of the error (destination-s3) as possible. Then the UI/orchestrator can just check that high-level failure type, rather than needing to know about all the different granular failure reasons.

@cgardens what sort of usecases are you envisioning by having the more granular failure reason? I'm seeing it mostly as useful for a human analyst to look at.

What if we changed failureType to a string here, but in each individual component is actually an enum? So e.g. the worker might emit one of zombie|idk|whatever, and destination-s3 could emit one of missingPermissions|networkTimeout|bucketDoesNotExist|etc.

Then it would take some more effort during analysis to map different granular reasons together (e.g. if source-shopify emits a badOauth failure, but source-google-ads emits invalidOauth, we'd need to tie those together somehow), but at least we'd capture it in a somewhat programmatically-friendly way. They could probably also be standardized to some extent (e.g. any blob store connector could have bucketDoesNotExist, any oauth connector could have invalidClientId, etc).

(I'm obviously thinking about this in a very connector-centric way. but I think it extends to platform-ish areas fairly intuitively)

[benmoriceau]

This can relate to some discussion we had around the new scheduler. The plan was to have 2 type of exceptions thrown by activities: RetryableException and NonRetryableException. We didn't have time to properly defined what is retryable and what is not. The new scheduler is suppose to be design to handle the scenario you describe and provide the tools to list the quarantine as well as the signal and query method to return the cause and unstuck a sync in the long term.

[pmossman]

@edgao I think you raise some great points that we'll definitely want to consider as we iterate on error/failure handling throughout the platform. I think we'll eventually want to "incentivize" connectors to conform to some standardized form of error/failure reporting, perhaps even defining classes of failures with the expected platform handling in a future version of the protocol.

For now, I think the goal of this PR should primarily be to:

1. make it possible to differentiate between source and destination failures today
2. create a baseline schema for capturing failure metadata that can serve as a starting point for further iteration

I think the failureSource solves for goal #1, and we can solve for #2 by supporting an optional failureType string field like you suggested, with the expectation that we'll want to iterate towards some sort of standardization before we start deriving much value from it.

[edgao]

cool, that makes sense to me 👍

[cgardens]

i like this class. keeps all of the code in the complicated parts of the code path easier to read!

[edgao]

Could failureType be directly replaced with the error class? And then remove the retryable entry. Something along these lines:

• unknown -> unknown
• permissionError -> userError
• systemRestart -> retry (?)
• zombie -> airbyteError (?)
• manualCancellation -> notAnError

I'm kind of torn on whether to keep the more granular failureType - on the one hand, it could be interesting to display stats like "in the last 30 days, 60% of your errors were permissions-related" (maybe this could nudge users to have better processes around managing access, or encourage us to build certain features, etc). But this enum feels like it could easily become a very long list that contains every error under the sun, up to and including targetWidgetDidNotExistBecauseSourceWhizbangWasImproperlyCalibrated.

[edgao]

this isn't actually an error, right? Is it just included here because it's surfaced via an exception?

[pmossman]

Yeah there was a bit of back and forth on this in the tech spec. It might make sense to leave it out of the failure summary and instead just have a top-level cancelledBy column on the attempts table for audit-trail purposes.

@cgardens now that you see it in code, how do you feel about it? I personally think it feels a bit unintuitive as-is. I think this is what you were getting at in the tech spec thread, like in order for this approach to make sense, we would want to use a failed status for cancelled jobs rather than having an entirely-separate cancelled status.

[cgardens]

Parker, I agree with what you suggested. Let's do it.

[benmoriceau]

Minor cosmetics comments.

[benmoriceau]

Nit: You can use the variable standardSyncSummary instead of standardSyncOutput.get().getStandardSyncSummary() here.

[benmoriceau]

Nit: it can be refactor in:
else {
switch (chilldWorkflowFailure) {
case ActivityFailure a: ...
default: ...
}
hrow childWorkflowFailure;
}

From: https://docs.oracle.com/en/java/javase/17/language/pattern-matching-switch-expressions-and-statements.html

[pmossman]

@cgardens I know you approved a while ago, could you give this another review before I consider it ready-to-merge? A few things have changed a bit since your initial review, namely:

1. Removed 'retryable' boolean in favor of 'failureType', which is now an enum with values userError, systemError, transient, and unknown. I expect that this will evolve over time and currently we aren't populating this enum at all, but I'm hoping this serves as a baseline that we can start to populate when we aim to start programmatically handling well-known failures. My thinking here was that eventually we can eventually surface something like a recommended resolution path to the user: userError -> user needs to intervene/fix their config/etc. systemError -> Airbyte needs to intervene, no action for the user to take. transient -> recommend a retry to the user since it might work.

2. Renamed failureSource to failureOrigin because source is overloaded

3. Added tests, particularly in the ConnectionManagerWorkflow to ensure that we at least have test coverage for the failureOrigin part of the schema, as that is definitely the most immediately-valuable feature of this project right now