Make granting catalog roles idempotent for JDBC persistence

[snicholasbarton]

Fixes #4553

Currently granting catalog roles with JDBC-backed persistence ends up throwing an HTTP 500 due to a PK constraint violation: all fields in grant records are in the PK and the service endpoint is a PUT (implying idempotency). This change catches the violation and silently succeeds. Later if additional non-PK fields are added to the grant_records table, this implementation might need to change to allow updating those attributes.

I think the alternative here is to propagate conflicts and ultimately throw a 409 - but this contradicts the original Javadoc in BasePersistence, which I think means that the aim is that this does not throw on conflict.

Checklist

• 🛡️ Don't disclose security issues! (contact security@apache.org)
• 🔗 Clearly explained why the changes are needed, or linked related issues: Fixes #
• 🧪 Added/updated tests with good coverage, or manually tested (and explained how)
• 💡 Added comments for complex logic
• 🧾 Updated CHANGELOG.md (if needed)
• 📚 Updated documentation in site/content/in-dev/unreleased (if needed)

[flyrain]

Thanks a lot for the fix, @snicholasbarton ! Left a few comments.

[flyrain]

Narrow swallow looks right, only SQLSTATE 23505 (unique_violation) is suppressed; FK/NOT NULL/CHECK still propagate via the existing throw. Can we double check cockroachDb and H2 to ensure the state is consistent across them?

[snicholasbarton]

Yes - both Cockroach (source / docs) and H2 (source) also use 23505 specifically for uniqueness constraint. Added a comment indicating as such.

Renamed the constant and method to make it clear it's checking for uniqueness constraint violations.

[flyrain]

The body now says "no-op" but @param grantRec still says "potentially replacing an existing entity record with the same key", can we reconcile to one wording? Also worth noting that a duplicate write still triggers grant-records-version bumps in the calling path.

[snicholasbarton]

Updated the param wording.

For the grant-records-version - that's used for caching, right? So after this change - where dupe writes don't throw - we pay an extra write (to the grant records version table) + later an extra read (after the invalidated cache lookup). I would anticipate that in normal use there probably isn't a huge number of these dupes, so maybe that's an acceptable trade.

If we do care about it we could potentially return a flag indicating whether a write was /actually/ made and only increment the version if so? Would potentially want to do that as a separate change.

[flyrain]

Optional: also add a negative case asserting non-23505 SQLExceptions still propagate (e.g. via a stub DatasourceOperations), so the swallow stays narrow if someone widens isConstraintViolation later.

[snicholasbarton]

Added

[dimas-b]

Thanks for your contribution, @snicholasbarton !

[dimas-b]

Would it be more appropriate to use MERGE INTO SQL instead?

[snicholasbarton]

I'm not opposed in theory; if non-PK fields are added later then we probably do want this. Chose not to here for consistency (didn't see any existing direct upsert query patterns), portability (I think the query might be different per PG/Cockroach/H2), and YAGNI (all the fields are part of the PK, so currently we don't actually have anything to update). Happy to revisit if you think it's worth it

[dimas-b]

Fair enough 👍 Thanks for narrowing the method name to "unique constraint" violations. Given that we currently have only the PK constraint on this table this change looks pretty solid to me.

[dimas-b]

nice 👍

[flyrain]

+1

[flyrain]

Thanks @snicholasbarton for the fix. Thanks @dimas-b for the review.