Add exception mappers to convert storage failures to Iceberg REST client exceptions

[dimas-b]

• Note: before this change a storage 403 error would manifest as 500 on the REST client side.

• Remove ObjectIOException. Use BackendErrorStatus instead.

• Add exception mappers to convert storage failures to BackendErrorStatus
  and to Iceberg REST client exceptions.

• Store error codes in TaskStatus and convert them to Iceberg REST
  status code when failed tasks are accessed again.

• Add AccessCheckHandler to ObjectStorageMock for simulating access
  failures in tests.

Closes #8738

[snazy]

I think the "hard"/unconditional association with "non-retryable" is not good.
We need a way to distinguish "hard/final failures" from "retryable" ones, so that org.projectnessie.catalog.service.impl.Util#throwableAsErrorTaskState (via e.g. org.projectnessie.catalog.service.impl.EntitySnapshotTaskBehavior#asErrorTaskState) can return the right state (retryable vs final).

Retryable examples:

• Throttled requests
• Technical network errors ("no route to host", "read timeout")
• Other unknown (IO)Exceptions
• Forbidden (users may "fix" credentials or ACLs)

Non-retryable ones:

• Not found

We might eventually need a third TaskState - to handle "forbidden"/"access denied" better, to handle the case when the object store's ACL's just wrong: a state that's immediately reported as an error, but retried later.

[snazy]

We might eventually need a third TaskState - to handle "forbidden"/"access denied" better, to handle the case when the object store's ACL's just wrong: a state that's immediately reported as an error, but retried later.

Isn't that what TaskStatus.ERROR_RETRY already does?
Hm - seems you're right. ERROR_RETRY seems to wait until the task enters a final state.

However, not sure whether that deserves a third state. We might instead just want a "deadline" that callers can (should) provide. The resulting timeout-exception could provide a reason indicating the current state and error - but that might be a bit too much for now. WDYT?

[snazy]

To mitigate potentially unmapped/unhandled error states, WDYT about making all current FAILURE states ERROR_RETRY ones but with a somewhat higher retry interval?

[snazy]

Non-retryable ones: Not found

Actually, this feels also retryable. Sure, in a perfect world, "not found" should be a "final" state.
But it could also be an ephemeral case, for example when users messed up the object store locations - in theory though, but possible. Or if someone manually migrates files.

[dimas-b]

Yes, that's pretty much where I'm moving (in my local ATM). Each caller should timeout at some point and concurrent caller would get the same result within some time window. If another caller, touches the same task after a certain time period, a re-try will happen regardless of the root cause. We can tune with the first and second timeout separately for each "cause".

[dimas-b]

Re: "not found" : It may be in reality represent a permission error (as in GH), so we cannot really rely on the object being really missing.

[snazy]

Oh - seems the deletion of the "merge base" closed this PR :(

[dimas-b]

No worries. I'll resume on main.

[snazy]

Not a full review. It's a lot of changes in this PR. It seems, your new approach is around handling the exception when running in the "import worker", feels appropriate to me. Just need to keep in mind that we have to eventually do the same when writing files.

I think, the approach can also be implemented w/ using the ERROR_RETRY and leave the FAILURE state as it is (the changes for that are incomplete BTW).

[dimas-b]

leave the FAILURE state as it is

I'm not sure about that. I think we have to be able to re-attempt after any failure because the conditions for the failure might change over time. In a way, no failure is a "final" failure. The different between ERROR_RETRY and FAILURE is only in failing the currently waiting tasks (in the latter case).

[snazy]

leave the FAILURE state as it is

I'm not sure about that. I think we have to be able to re-attempt after any failure because the conditions for the failure might change over time. In a way, no failure is a "final" failure. The different between ERROR_RETRY and FAILURE is only in failing the currently waiting tasks (in the latter case).

Well, FAILURE is well defined now as a final state. Then I'd rather add another type. For that it's probably easier to do it in a separate PR and only focus on the tasks-stuff.

[snazy]

Basically two things left:

• Moving the config property (not a big one)
• Compatibility/behavior during rolling upgrades

Otherwise LGTM

[snazy]

I wonder how far we should go here wrt to new BackendErrorCode values added in future releases, and behavior during a rolling-upgrade (new version writing NEW_CODE but old version reading it as UNKNOWN, writing it as UNKNOWN and new version re-reading it as UNKNOWN as well). Would it make sense to serialize the error code including the HTTP status code or to make BackendErrorCode a value type?

[dimas-b]

It's not very apparent in code, but this method is called only when the Task Service decides it's done with trying to execute a task. The UNKNOWN status here will not be stored in Persist but will only float up to the caller via IcebergErrorMapper... I'll think a bit more how to make the code clearer, but ATM I'm not sure it warrants any specific action for rolling upgrades.

[snazy]

I see. All good then.

[dimas-b]

Approve? ;)

[snazy]

Let's make UNKNOWN retryable - we don't know what happened, so it can be retryable.

[dimas-b]

I know real UNKNOWN will end up in infinite retry

[dimas-b]

I'm planning to add task deadlines in a follow-up PR and also fix #8860