-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] BQ is not applying policies to the same object at the same time #1167
Comments
Hey there! |
Hi!
So in our CI workflow, GitHub Actions, the dbt config has 32 threads. The
error shows up when this is executed, however when threads are switched to
2 the error goes away. The multiple invocations are through GitHub Actions
workflow when deploying to production environment.
Best,
Saahil.
…On Thu, 11 Apr 2024 at 8:56 PM, Florian Eiden ***@***.***> wrote:
Hey there!
Could you help us reproduce the case? I'm wondering how you get concurrent
changes here? Are you running multiple invocations of dbt in parallel?
—
Reply to this email directly, view it on GitHub
<#1167 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEXPU4S3YOVMOF2A47F54GDY43TH3AVCNFSM6AAAAABFVV73I2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJQGQYTSMBQGE>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Hi there, could you please add a minimum reproducible example to the issue, so we can investigate? |
Hello, I find it to be a complex setup that may not be easily replicated in a smaller project or a Minimal Reproducible Example. Nonetheless, the issue is clear enough to address without simplification. Here are the specifics:
|
So is the issue that the post-hook grants are operating at the schema level, but are executed at the model level? |
So, for example : For a "role.xx" the post-hooks are trying to assign principals (users) to that same role (could be for 'n' tables). This updation must happen at once and be written back for the policy to be consistent. However, since we are working with 32 threads, we are trying to modify the policy status concurrently and the IAM scope encounters mismatch in state as several GRANTS are being processed concurrently and their state is volatile. One thing to note here, even if we are granting the "role.xx" access to a dataset 'y' and that change is yet to be written back, if we try to allow the same role, access (parellelly) to dataset 'z', it would fail even when the changes don't concern each other. In the same manner, allowing access to the same dataset, concurrently, would fail. |
Is this a new bug in dbt-bigquery?
Current Behavior
BigQuery does not allow to apply policies to the same object at the same time, even if those policies have the same effect.
Error message:
500 IAM setPolicy failed for Dataset <>: There were concurrent policy changes.
Perhaps we would need to update how we apply and persist grants here?
Expected Behavior
Policies could be applied concurrently to the same object at the same time.
Steps To Reproduce
Only affects when BQ is running concurrent changes, and when running the grants separately and sequentially in the console returns a successful execution, which indicates that parallel invocations of these queries might be causing the issue.
Relevant log output
No response
Environment
Additional Context
No response
The text was updated successfully, but these errors were encountered: