release-20.2: backupccl: fix restore aost bug with dropped desc revisions

[adityamaru]

This is a fix for a discrepancy in the descriptor resolution
logic during restore planning and execution, for a full cluster restore.

While the resolution logic in restore planning filtered out descriptor
revisions in the dropped state, the logic in execution did not do this. As a
a result of this, the restore job would process additional descriptors (the
dropped revisions). In the case of full cluster restores, the planning phase
picks an id higher than all restored desc ids, for the tempSystemDB. The
additional dropped descriptor revisions during execution could have the same
id as the tempSystemDB. This id clash would cause issues when processing
descriptor rewrites which are keyed on the descriptor id.

Table and database restores are not affected by this bug since we filter the
descriptors during execution based on the descriptor rewrites we allocated in
planning. Since no additional entries for system tables are added to the
rewrites, we expect to filter out all dropped revisions since there will be
no rewrites allocated for them in the first place.

Release note (bug fix): Fixes a bug in full cluster restores where
dropped descriptor revisions would cause the restore to fail.

Release justification: Fixes a bug in full cluster restore where dropped
descriptor revisions were causing restore jobs to fail.

[blathers-crl]

Thanks for opening a backport.

Please check the backport criteria before merging:

• Patches should only be created for serious issues.
• Patches should not break backwards-compatibility.
• Patches should change as little code as possible.
• Patches should not change on-disk formats or node communication protocols.
• Patches should not add new functionality.

If some of the basic criteria cannot be satisfied, ensure that the exceptional criteria are satisfied within.

• There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
• The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
• New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters.
• The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.

Add a brief release justification to the body of your PR to justify this backport.

Some other things to consider:

• What did we do to ensure that a user that doesn’t know & care about this backport, has no idea that it happened?
• Will this work in a cluster of mixed patch versions? Did we test that?
• If a user upgrades a patch version, uses this feature, and then downgrades, what happens?

[cockroach-teamcity]

This change is 

[adityamaru]

@pbardea how do you feel about this? loadSQLDescsFromBackupsAtTime is the first method called during both planning and execution. I thought it best to filter out dropped revisions as early as possible. Currently, for targetted restores i.e. backups and databases we filter out dropped descriptors in descriptorsMatchingTargets and for full cluster restores in fullClusterTargets.

[adityamaru]

Hmm now that I think about it, the assertion might be too aggressive. Thinking it through.

Edit: The assertion was incorrect, removed.

[pbardea]

I like consolidating the dropped desc filtering here to keep it in one place. Perhaps a comment on loadSQLDescsFromBackupsAtTime would help readability.

[adityamaru]

Merging this without bake time on master because it is a critical bug that is preventing a customer from successfully running restore. We would like the next dot release to have this fix. The change is small and we have a regression test to exhibit the targeted bug fix.