KAFKA-17002: Integrated partition leader epoch for Persister APIs (KIP-932)

[apoorvmittal10]

The PR integrates leader epoch for partition while invoking Persister APIs. The write RPC is retried once on leader epoch failure.

Committer Checklist (excluded from commit message)

• Verify design and implementation
• Verify test coverage and CI build status
• Verify documentation (including upgrade notes)

[AndrewJSchofield]

I'm not quite sure about this one. Integrating the leader epoch into the persister write API is good, but I am not sure whether the handling of the fenced case makes sense. Essentially, if the Write RPC returns a fenced error, it means that a later leader epoch is being used for this share-partition state, and that means another share-partition leader for this partition is using a later epoch, which presumably means this SPL is philosophically dead.

[apoorvmittal10]

I'm not quite sure about this one. Integrating the leader epoch into the persister write API is good, but I am not sure whether the handling of the fenced case makes sense. Essentially, if the Write RPC returns a fenced error, it means that a later leader epoch is being used for this share-partition state, and that means another share-partition leader for this partition is using a later epoch, which presumably means this SPL is philosophically dead.

Hmm, the only scenario I was thinking about that if partition epoch is bumped for any other reason and same broker remains the partition leader then a retry should be needed to fetch latest partition epoch. If that's not true then I agree that retry doesn't make sense.

I was also thinking if we should have an identiifer/boolean in SPL that can be toggled when SPL is not a leader. This identifier once set to false will fail all requests with not leader exception, if received any call. So client can switch to new leader.

[apoorvmittal10]

@mumrah Can you please review as well and provide input on Partition epoch. @AndrewJSchofield might be right and we might just want to fail the request when such leader error occurs. Just confirming prior making the change.

[apoorvmittal10]

@junrao @mumrah Can you please advise me about the partition epoch handling please. It would be great if you can take a look please.

[junrao]

@apoorvmittal10 : Thanks for the PR. Left a comment.

[junrao]

This doesn't look right. ShareFetch can only be served at the leader. If this broker is not the leader, leaderEpoch is -1. In that case, we need to send a NOT_LEADER_OR_FOLLOWER error to the client instead of retrying.

The easiest thing on receiving FencedLeaderEpochException is probably to always send an error back to the client and mark the SharePartition as invalid. This way, if the broker becomes the leader again, a new SharePartition will be created and trigger the initialization of group state from the share coordinator.

We probably also want to check if the broker is still the leader on each shareFetch/shareAck request.

[apoorvmittal10]

I have addressed the concern.

[junrao]

Should this be volatile since it's written and read by different threads?

[apoorvmittal10]

It's now read only in share partition.

[junrao]

@apoorvmittal10 : Thanks for the updated PR. A few more comments.

[junrao]

extra new line

[apoorvmittal10]

Removed.

[junrao]

Why do we need to make this change? The current format seems to match other existing code.

[apoorvmittal10]

Reverted.

[junrao]

We need to return a NOT_LEADER_OR_FOLLOWER error to the client if the broker is not the leader.

[apoorvmittal10]

Done.

[junrao]

Is there a particular reason to use computeIfPresent instead of remove? The latter is more intuitive.

[apoorvmittal10]

I was trying to solve which is not required. I have moved to remove.

[junrao]

We don't use getters. So this can just be leaderEpoch.

[apoorvmittal10]

Done.

[junrao]

To be consistent, we want to add the same logic for shareFetch too.

To do this, we need to extend FetchParams such that fetchOnlyLeader() is true for share fetch and handle NotLeaderOrFollowerException accordingly.

[apoorvmittal10]

Done.

[apoorvmittal10]

@junrao Sorry, I was in middle of my changes when last reviewed. But thanks for the feedback. I have completed the changes now, can you please re-review. Sorry for the trouble.

[AndrewJSchofield]

Thanks for the PR.

[AndrewJSchofield]

I suggest "fenced" should appear in the method name. This is essentially seeing if the exception indicates fencing and then discarding the share partition from the cache.

[apoorvmittal10]

My idea was to have general exception handling method as we might find other exceptions which needs some handling as well. Do you think we should strictly have fenced special handling method?

[AndrewJSchofield]

My point was that you're really only handling a couple of exceptions at the moment, and they're both fencing-related. Anyway, just a suggestion.

[apoorvmittal10]

Thanks, I have changed the method name. Might move to generic one if required in future.

[AndrewJSchofield]

Does the SharePartition need to be put into a fenced state? Removing it from the cache is good for future requests, but is that enough for the object which is already in existence?

[apoorvmittal10]

So we remove share partition from cache at 2 places. 1) When initialization failed 2) When fenced error occurs.
For 1, it's safe as its still in initilization state.

For 2, I was in mixed opinion. As all interactions with share partition happens currently while fetching instance from cache hence once removed or re-initialized the new state should appear. But if old share partition instance is already held by some other thread then acknowledge will anyways fail but fetch can succeed. Do you think it would be sensible to have another state in SharePartition as Fenced, which once set then fetch lock on that share partition cannot be attained. Do you think we should have an active status check on all Share Partition APIs as well?
cc: @adixitconfluent

[adixitconfluent]

I think its better to have a new state. Should we have a state as TERMINATED/FENCED because a share partition should also be removed from SPM in case the topic partition is deleted or becomes a follower (https://issues.apache.org/jira/browse/KAFKA-17783). Wdyt @apoorvmittal10 @AndrewJSchofield

[AndrewJSchofield]

Yes, I think these states sound sensible.

[adixitconfluent]

Do you think we should have an active status check on all Share Partition

Yes, I agree on this as well

[mumrah]

Do we have a state machine written down somewhere for SharePartition?

[apoorvmittal10]

Hmmm, not yet. Let me create the state transitions better in a single place where we can see the transitions.

[AndrewJSchofield]

I've checked the error codes here and the KIP looks right to me.

[AndrewJSchofield]

I wonder whether this is a bit literal. Why are we supplying a ClientMetadata here in the share fetch case? That seems to me to be concerned with fetch-from-follower. If we didn't supply a ClientMetadata, then fetchOnlyLeader() would already return true without needing the new flag.

[apoorvmittal10]

So ClientMetadata includes details for rackId, listenerName which I see in regular fetch if utilized for figuring read replica. Not sure if that would be relevant for ShareFetch in future and if we should skip always for ShareFetch. Hence I have added the additional shareFetchBoolean. Please let me know what you think. Also adding @junrao to provide his inputs.

[junrao]

@apoorvmittal10 : Thanks for the updated PR. A few more comments.

[junrao]

If we get an error like UNKNOWN_TOPIC_OR_PARTITION or FENCED_STATE_EPOCH, should we remove the sharePartition too?

[apoorvmittal10]

I have handled it.

[junrao]

Should we include the new param in hashCode and equals too?

[apoorvmittal10]

Missed it, thanks added.

[junrao]

At the beginning of this method, we check for LeaderNotAvailableException. When do we get that exception? ReadShareGroupStateResponse doesn't seem to have that error.

[apoorvmittal10]

LeaderNotAvailableException is an internal exception from SharePartition to SharePartitionManager which can occur only when SharePartition is in process of initialization and not yet complete. Hence fo that period just keep the requests in purgatory.

[junrao]

Should we include UNKNOWN_TOPIC_OR_PARTITION below too?

[apoorvmittal10]

Added.

[junrao]

We lose the error message in throwable when converting it to Error.

[apoorvmittal10]

Done.

[junrao]

Do we need this since it's part of SharePartitionKey?

[apoorvmittal10]

Thanks, removed.

[junrao]

ShareFetchUtils.leaderEpoch can return exceptions like NOT_LEADER_OR_FOLLOWER and UNKNOWN_TOPIC_OR_PARTITION. Should we handle that at the partition level?

[apoorvmittal10]

Handled at partition level. But I have added a couple of TODOs in the PR to take them in follow up as this PR is getting bigger. I am of opinion that we can take the changes incrementally.

[junrao]

Typically, the error code is returned in responseLogResult. So we need to handle the error there too.

[apoorvmittal10]

As we are going with massive refactor with min bytes PR in delayed share fetch, also the handling of this error will have it's own quite possible cases hence created a jira to take that up in following PR: https://issues.apache.org/jira/browse/KAFKA-17887

[apoorvmittal10]

@junrao I think the error from LogReadResult is already handled as we set the respective partition level error while parsing response in ShareFetchUtils.processFetchResponse method. Am I missing something?

[junrao]

Yes, it seems this is no longer an issue.

[apoorvmittal10]

Thanks for confirming @junrao, I have closed the ticket.

[junrao]

1. We probably want to verify the leader epoch in SharePartition before removal to avoid a newly created SharePartition being removed by an old request.
2. We piggyback the removal in an error response. The downside is that there are quite a few error places to handle and it is reactive. An alternative is to have a partitionLeaderEpochChange listener. We can then proactively remove a SharePartition when the leader epoch changes.

[apoorvmittal10]

Both are great suggestions, do you think it would be right to have it in follow up PRs?

[apoorvmittal10]

@junrao I have made a lot changes and the PR is getting bigger and bigger. I am reverting some of my local changes and will write a plan with jiras so we can proceed.

[mumrah]

Making this final implies the SharePartition is now scoped to the lifetime of a partition's leader epoch. Since SPs are managed by the node which is the leader for that partition, I guess this is already the case (and not really a problem). We normally expect the leader to move when the leader epoch increases, but I'm not sure if that's always the case.

Hypothetically, if a leader epoch increased but the leader did not move, would it be possible to reuse the SharePartition state? Or would we need to re-load its state from the persister anyways?

[apoorvmittal10]

Yeah, it's for share partition life time. We are marking the Share Partition fenced and un-usable if an error occurs. Which means the state should be re-loaded from the persister to function ahead.

[mumrah]

Do we have a state machine written down somewhere for SharePartition?

[mumrah]

Returning an OptionalInt would be a bit nicer than throwing there (maybe). If we actually want a helper method that throws, we should incorporate that into the name (e.g., leaderEpochOrThrow)

[apoorvmittal10]

With an optionalInt again we need to check and pass the right error. So either we have this method or create leaderEpochOrThrow in replica manager.

[apoorvmittal10]

So here is the summary. Sorry, the PR is growing. As now it's more of error handling and less of just leader epoch propagation.

The current PR has following:

• Fetches LeaderEpoch and passes to SharePartition. If leader epoch (fenced/state epoch), unknown topic partiton or unknown group error arrives then Share Partition will be removed from cache. At the same time the share partition will be marked fenced.
• For same, Fenced state has been added in the PR.
• There exists 2 checks for fenced state in SharePartition a) While acquiring records b) While acquiring fetch lock. Hence any inflight request which tries to acquire records will fail. Though even prior to that requests will start failing while acquiring lock. This prevents us to send any new records to consumers for fenced share partitions. However, I didn't add the check on acknowledge and release APIs as they will eventually fail while persisting, if should.
• Added the error handling for leader epoch at SharePartiton level, which means if in a request of 5 topic partitions, if 3 are fenced then the request should proceed for remaining 2 share partitions rather failing completely.

Some follow ups to do:

• https://issues.apache.org/jira/browse/KAFKA-17510 - Additional error handling and trigger fetch, once the initilization of share partition is completed and the request is in purgatory.
• https://issues.apache.org/jira/browse/KAFKA-17887 - Error handling for response log result in delayed share fetch.
• Better state machine transition in Share Partition.
• Consider using listener to fence and remove Share Partition.
• Add a check for leader epoch prior removing share partition instance.
• Send error partitions response as well, currenlty if all partitions fail or succeed then fail/success response is sent for all else only for partitions for which data is fetched.
• Additionally I am thinking to rename ShareFetchData to ShareFetch and provide better handling of future completion as the code is a bit fragmented today.

I am planning to have couple of follow up PRs, if @junrao @AndrewJSchofield @mumrah you think is fine. As with tests and changes, this PR is getting bigger and bigger.

[junrao]

@apoorvmittal10 : Thanks for the updated PR. A few more comments.

[junrao]

This is weird. We actually don't know which partition causes throwable. Ideally, we should just set a top level error instead of applying it on each partition. We probably shouldn't remove the SharePartition here since we are not sure which partition to remove.

[apoorvmittal10]

Hmmm, though you are right but the problem is that ShareFetchResponse contains both Fetch and Acknowledgement response. If we set a top level error code then the acknowledgement in request will also be responded as failed however acknowledgement might have succeeded.

The reason I was removeing the SharePartition in this condition was that recreating a new SharePartition is cheap. However if you think we shouldn't remove then I will avoid that and see waht scenarios we encounter during the tests (moving partitions in a cluster).

[junrao]

It seems it's more intuitive to initialize erroneous as an empty map so that we don't need to deal with it being null.

[apoorvmittal10]

The exception occuring from getOrCreateSharePartition will be rare hence I was of an opinion of not initializing the erroneous and do that only when needed.

[junrao]

The line is getting too long. Could we avoid calling entry.getValue() twice?

[apoorvmittal10]

Agree, done.

[junrao]

We probably should throw a fenced exception and let the caller handle it. This can be done in a separate PR.

[apoorvmittal10]

Sure, https://issues.apache.org/jira/browse/KAFKA-17901.

[junrao]

Hmm, should we explicitly mock sp1.maybeAcquireFetchLock to false?

[apoorvmittal10]

Thanks, done.

[junrao]

Hmm, why does the completed future have only 1 partition?

[apoorvmittal10]

Because fetch didn't happen for other partition as it was not acquirable. Though final response from KafkaApis consolidates the topic-partitions from erroneous (from KafkaAPIs), share partition manager's topic partitions and remaining with empty data.

[apoorvmittal10]

Hi @junrao , thanks for the feedback. Addressed and replied.
There is one test which was previously marked as flaky but I can see the failure in this PR as well. I have updated the ticket for the flaky test as well.

https://issues.apache.org/jira/browse/KAFKA-17463?jql=text%20~%20%22testShareGroups%22

[junrao]

@apoorvmittal10 : Thanks for the updated PR. LGTM