KAFKA-9418: Add new sendOffsetsToTransaction API to KafkaProducer by abbccdda · Pull Request #7952 · apache/kafka

abbccdda · 2020-01-13T23:32:18Z

As title suggests, the change is bringing in the consumer group metadata as part of the transaction API for correct fencing after 447.
This PR mainly changes on the Producer end for compatible paths to old sendOffsetsToTxn(offsets, groupId) vs new sendOffsetsToTxn(offsets, groupMetadata).

Some integration test extensions are also added to test out the validity of the new sendOffsets API.

This PR also contains some fixes towards the closed protocol PR.

Committer Checklist (excluded from commit message)

Verify design and implementation
Verify test coverage and CI build status
Verify documentation (including upgrade notes)

abbccdda · 2020-01-15T03:53:53Z

Addressing: #7897 (comment)

abbccdda · 2020-01-15T03:54:37Z

Addressing #7897 (comment)

abbccdda · 2020-01-15T03:55:10Z

This and the following new tests are addressing the comments for separating valid and invalid scenario: #7897 (comment)

abbccdda · 2020-01-15T22:53:42Z

We unify the API for groupId and groupMetadata commit here, which includes the groupId within the metadata struct.
A boolean flag indicating whether to turn on global fencing shall be passed down to the txn commit sender to determine whether we should include (member.id, instance.id, generation.id) in the request.

abbccdda · 2020-01-15T22:54:30Z

This separation is to avoid if-else loop complexity warning from checkstyle.

abbccdda · 2020-01-15T22:55:07Z

When working with the multi-version API, I realized that by making the data initialization internal could save a lot of caller's effort.

abbccdda · 2020-01-15T22:56:37Z

The test coverage for KafkaProducerTest is weak in general. We just did the bare minimum here to route the request through a full init->begin->commit->end workflow and make sure it is working properly.

abbccdda · 2020-01-15T22:58:59Z

This is just leveraging the same security check here, no harm to do for both API calls.

abbccdda · 2020-01-15T23:13:11Z

The 3 tests here are primarily evaluating that when we are on groupMetadata mode, we could correctly detect FENCED_INSTANCE_ID, UNKNOWN_MEMBER_ID and ILLEGAL_GENERATION exceptions.

abbccdda · 2020-01-15T23:20:48Z

A full test to set all 3 group fields

abbccdda · 2020-01-15T23:21:24Z

Use new API for compatibility test.

abbccdda · 2020-01-15T23:21:32Z

Same here for compatibility.

hachikuji · 2020-01-16T18:17:53Z

I'm wondering if we should use CommitFailedException. In the consumer, we do not expose illegal generation and unknown member id errors directly to the user.

That's a good suggestion, I could wrap unknown member id and illegal generation by a commit failed exception.

hachikuji · 2020-01-16T18:20:52Z

nit: I think we can do away with enableGroupFencing and derive its value from ConsumerGroupMetadata. In spite of my comment on the previous PR, it may be simpler to just let the defaults be consistent with the expected default values and just have one path below.

How do we distinguish with the case where only groupId is passed, v.s. the whole groupMetadata is passed but other fields are UNKNOWN_XXX? Do we guarantee that groupMetadata#generationId should never be UNKNOWN_GENERATION_ID (from the broker-side logic we would not check if the generationId < 0)? If yes then we can use that as the boolean flag and get rid of enableGroupFencing.

I think we should validate the object when it is received in sendOffsets.

mjsax

Only did a high level pass -- leave if to @hachikuji to merge.

mjsax · 2020-01-16T18:51:44Z

Why this change? Should sendOffsetsToTransaction not be able to handle null gracefully? Seems it would be a regression if we change the behavior and start to fail on null?

It is actually not, I will try to specify the object type so we don't need to use 0 length string

guozhangwang · 2020-01-16T19:29:46Z

How do we distinguish with the case where only groupId is passed, v.s. the whole groupMetadata is passed but other fields are UNKNOWN_XXX? Do we guarantee that groupMetadata#generationId should never be UNKNOWN_GENERATION_ID (from the broker-side logic we would not check if the generationId < 0)? If yes then we can use that as the boolean flag and get rid of enableGroupFencing.

abbccdda · 2020-01-17T05:51:59Z

Test changes in this class are only for new API coverage.

abbccdda · 2020-01-17T05:55:53Z

After some thoughts, I feel hesitated to classify the FencedInstanceId as a sub type of CommitFailed, for producer exception handling we should abort the current transaction and let consumer rejoin the group as needed. For instanceId fenced, it is more fatal as an indicator of a malicious client that should fail the entire client. Like @hachikuji proposed, it makes sense for us to specify new EOS example code once the changes are merged so that we could make sure the API is user friendly: https://issues.apache.org/jira/browse/KAFKA-9447

hachikuji · 2020-01-19T18:42:06Z

retest this please

hachikuji

Thanks, a few more comments. I think we're almost there.

hachikuji · 2020-01-19T18:49:40Z

It's not really valid to commit offsets with a null groupId. Why don't we use requireNonNull?

We could do that, it's just a legacy logic for allowing null groupId

It never actually made sense since the producer itself doesn't support it.

hachikuji · 2020-01-19T18:55:52Z

I think there's probably a good case to raise this one directly as an abortable error instead of getting wrapped in CommitFailedException. Although it is not fatal for the producer, the user shouldn't ignore it.

User will have to handle this exception properly by either:

aborting the transaction as recommended

fail the entire application to be more strict

other cases as they see fit

So no matter how to handle it, the error shall not be ignored. If we are throwing 3 different types of exceptions, user would as well need to catch 3 different types of exceptions IMHO

My expectation for illegal generation and unknown member id is that it can be more or less ignored. The user should abort the transaction, but then continue after rejoining the group. The instance fenced error means a new instance of the application has been started somewhere and the application should be stopped.

By the way, this is why I suggested writing some example code which shows what we consider to be proper handling. This will give us a better idea if the handling is reasonable, awkward, or incomplete.

That's true, we also had a jira to track it here: https://issues.apache.org/jira/browse/KAFKA-9447

hachikuji · 2020-01-19T19:01:42Z

These test cases seem to be identical code other than the error. Can we factor out a helper?

Actually there are a couple of differences inside the test, such as error type, consumer metadata creation, and request matcher. Probably we could just leave as it is since new readers would just fix one by reading through the whole block

This reverts commit 437f845.

hachikuji · 2020-01-22T16:22:46Z

retest this please

hachikuji · 2020-01-22T16:25:35Z

ok to test

hachikuji

Hopefully final round of comments.

hachikuji · 2020-01-22T16:40:26Z

+    private void throwIfInvalidGroupMetadata(ConsumerGroupMetadata groupMetadata) {
+        if (groupMetadata == null) {
+            throw new IllegalStateException("Consumer group metadata could not be null");
+        } else if (groupMetadata.groupId() == null) {


nit: we may as well move this check into ConsumerGroupMetadata since we have some other null checks there.

The check is a little bit over-specific for ConsumerGroupMetadata itself, which is why I put advanced check in here so that people could construct group metadata in error format as they want.

Can you elaborate why this is different from e.g. the memberId?

hachikuji · 2020-01-22T16:40:57Z


+    private void throwIfInvalidGroupMetadata(ConsumerGroupMetadata groupMetadata) {
+        if (groupMetadata == null) {
+            throw new IllegalStateException("Consumer group metadata could not be null");


I think these should all be IllegalArgumentException. The producer is not in an illegal state.

hachikuji · 2020-01-22T16:51:24Z

Wait, how did we end up back here? I thought we agreed this should not be fatal for the producer? I think it should have a separate branch above, similar to the handling of GROUP_AUTHORIZATION_FAILED.

hachikuji · 2020-01-22T18:46:59Z

retest this please

hachikuji · 2020-01-22T18:47:19Z

ok to test

hachikuji

LGTM. Thanks for the patch!

* apache-github/trunk: KAFKA-9418; Add new sendOffsetsToTransaction API to KafkaProducer (apache#7952) KAFKA-7273 Clarification on mutability of headers passed to Converter#fromConnectData() (apache#7489) MINOR: Only update a request's local complete time in API handler if unset (apache#7813) KAFKA-9143: Log task reconfiguration error only when it happened (apache#7648) MINOR: Change the log level from ERROR to DEBUG when failing to get plugin loader for connector (apache#7964) KAFKA-9024: Better error message when field specified does not exist (apache#7819) KAFKA-7204: Avoid clearing records for paused partitions on poll of MockConsumer (apache#7505) KAFKA-9083: Various fixes/improvements for Connect's Values class (apache#7593) MINOR: log error message from Connect sink exception (apache#7555)

abbccdda changed the title ~~(WIP) KAFKA-9418: Add new sendoffsetsToTransaction API to KafkaProducer~~ (WIP) KAFKA-9418: Add new sendOffsetsToTransaction API to KafkaProducer Jan 13, 2020

abbccdda force-pushed the producer_sendoffsets branch 3 times, most recently from 48db78d to e2fad5b Compare January 15, 2020 00:21