KAFKA-16308 [3/N]: Introduce feature dependency validation to UpdateFeatures command

[jolshan]

This change includes:

1. Dependency checking when updating the feature (all request versions)
2. Returning top level error and no feature level errors if any feature failed to update and using this error for all the features in the response. (all request versions)
3. Returning only top level none error for v2 and beyond

[jolshan]

I will probably just include this in 4.0 so we can drop the ZK support as well.

[junrao]

@jolshan : Thanks for the PR. Made a pass of non-testing files. Left a couple of comments.

[junrao]

Hmm, not sure that I follow. This PR is for 4.0, right?

[jolshan]

I didn't want to remove the ZK code in this PR so I hard-coded this so tests pass. When we remove the ZK, this will go away too.

[junrao]

How do we prevent the client from issuing V2 updateFeature request in ZK mode?

[jolshan]

This code will be removed before the release. I wasn't sure if it was necessary to include handling at all if folks are running off of trunk.

[jolshan]

I could have removed as part of this PR but I thought that should be done separately.

[junrao]

Got it. Perhaps make it clear that this is for ZK, which is not supported in 4.0.

[jolshan]

Sounds good.

[junrao]

If there is a partial failure, it seems weird to return an error at the top level but with no error at some features. In that case, none of the updated features is persisted. For example, in produce response, we set the partition level error to be the same as the top level.

[jolshan]

I can change all the partitions to the top level error if that is preferred.

[jolshan]

I guess the other question I have is whether it is better to fail fast or potentially show what other errors could be.
For example, if one feature is invalid because it not a real feature and one is invalid because of a dependency, should we fail with just the not real feature error? Or should we include both in the error message?

It is a little annoying to have to rerun the command for each error, but it could also be confusing if the error code is not the same for the different errors and we set them all to be the same.

Perhaps failing fast with one error at at time is the best option at the expense of the user having to rerun the command for each error. In that case, we can also change the error message logic to just share the error of the one error we found.

[jolshan]

In my latest push, I took the approach of failing fast and only replying with the features we have seen. Another option is to mark the remaining features as also failed.

[junrao]

@jolshan : Thanks for the updated PR. A few more comments.

[junrao]

We changed the implementation such that if one feature has an error, none of the features will be processed. It seems that we only need to return a top level error in UpdateFeaturesResponse. There is no need to have the per feature error code.

[jolshan]

This works too. I can do that.

[jolshan]

Taking a closer look at this -- are you suggesting to return a different type of controller response here? There are a few options. One is to simply return the feature and error that caused the failure above (in the if block). Another is to modify the type to account for top level errors.

[junrao]

I was thinking of just having the following schema. We can return the cause in the top level error message.

{
  "apiKey": 57,
  "type": "response",
  "name": "UpdateFeaturesResponse",
  "validVersions": "0-1",
  "flexibleVersions": "0+",
  "fields": [
    { "name": "ThrottleTimeMs", "type": "int32", "versions": "0+",
      "about": "The duration in milliseconds for which the request was throttled due to a quota violation, or zero if the request did not violate any quota." },
    { "name": "ErrorCode", "type": "int16", "versions": "0+",
      "about": "The top-level error code, or `0` if there was no top-level error." },
    { "name": "ErrorMessage", "type": "string", "versions": "0+", "nullableVersions": "0+",
      "about": "The top-level error message, or `null` if there was no top-level error." }
  ]
}

[jolshan]

Right. This makes sense. I think the part I was not sure about was the return type of ControllerResult. I think the approach I am taking right now is to return ControllerResult with a single entry containing the feature with the error. In QuorumController, I convert this to the top level error to return.

Ie.

            if (!error.error().equals(Errors.NONE)) {
                return ControllerResult.of(Collections.emptyList(), Collections.singletonMap(entry.getKey(), error));
            }

            if (errorEntry.isPresent()) {
                String errorFeatureName = errorEntry.get().getKey();
                ApiError topError = errorEntry.get().getValue();
                String errorString = errorFeatureName + ":" + topError.error().exceptionName() + " (" + topError.message() + ")";
                responseData.setErrorCode(topError.error().code());
                responseData.setErrorMessage("The update failed for all features since the following feature had an error: " + errorString);

thinking about ways to clean up how we find the one error. Will update again after lunch.

[junrao]

Got it. Maybe ControllerResult just need to include a single error code and error message.

[jolshan]

I've pushed the new approach. Let me know if it makes sense. (I can also clean up the surrounding code if we want to do it this way. 👍

[junrao]

Should we use the error code from topError?

[jolshan]

The KIP specified this error code. We can change this if we think this should not be the case.

The UpdateFeaturesReponse will contain a top level INVALID_UPDATE_VERSION error if any feature fails to update and no updates will persist if a single feature in the requrest fails validation. The same INVALID_UPDATE_VERSION error will be specified in UpdatableFeatureResult.ErrorCode for the features that failed. This will be accompanied with UpdatableFeatureResult.ErrorMessage an error message explaining the dependency.

[junrao]

Ok, but is ControllerResult.response returned from featureControl.updateFeatures supposed to contain the error code for the client?

[jolshan]

I included it there so the error message could contain the "real" error.

[jolshan]

@junrao I guess to summarize the conversation -- does it make sense to simply return whatever error occurred as the top level error and not invalid update version? I would think we would still want the specific feature in the response message so it can be communicated to the user.

[junrao]

It's fine to convert arbitrary server errors to just INVALID_UPDATE_VERSION. I was just wondering where the conversion happens. It seems that we already did that conversion in FeatureControlManager.updateFeature(). If FeatureControlManager.updateFeature() always returns INVALID_UPDATE_VERSION, we could just pick it up here.

[jolshan]

Ah. I see what you are saying. So we should just take the error and not further convert it. The main thing that is important is to also include the feature name.

[junrao]

How do we prevent the client from issuing V2 updateFeature request in ZK mode?

[junrao]

@jolshan : Thanks for the updated PR. A few more comments.

[junrao]

For v2, we can just ignore updateErrors and only consider topLevelError, right?

[jolshan]

This is interesting, because this code is really only currently called in the ZK path. In the case where it would be called with a partial update, we would potentially want to catch the error? But I can remove if it is confusing.

[junrao]

In the case where it would be called with a partial update, we would potentially want to catch the error?

But the ZK response is hard coded for v1, right?

[jolshan]

Yes. I wrote this in case someone would use this in the the future for some Kraft case. But maybe that is not needed.

[jolshan]

An alternative is to just remove the ability to pass in a collection of updates if ZK path is fully removed

[jolshan]

Ok -- actually I think the best way forward is to leave as is and not update the createWithErrors method. When we remove the ZK code, we can remove the ability to pass in updateErrors. I can leave a todo for this if it helps.

[junrao]

For v1, the existing behavior is that if updateErrors is not empty, we set topLevelError to be none. It seems that we are changing the behavior here?

[jolshan]

I don't think we are changing it to be none. We set it as usual in line 114.

[junrao]

Hmm, we set topLevelError to topError in line 100. This means that if there is a feature level error, the top level error is not none, which is different from the current behavior in v1.

[jolshan]

errorEntry will never be present if version is 1 or below. I agree this is not ideal for readability though.

[junrao]

@jolshan : Thanks for the updated PR. A couple of more comments.

[junrao]

Should we remove the Results field in V2?

[jolshan]

I suppose so. I will need to update a few parts of the KIP 😅 but good to get it right.

[jolshan]

The way the future is structured, it expects results for all the features.

kafka/clients/src/main/java/org/apache/kafka/clients/admin/KafkaAdminClient.java

Line 4555 in be11615

// The server should send back a response for every feature, but we do a sanity check anyway.

We can do this, but that will mean I will have to change this code too.

[jolshan]

There is not a great way to check version here, so the only thing I can do easily is remove this line. :(
I'm wondering if this is the best move.

[junrao]

If we make UpdateFeaturesResponse.Results ignorable from V2, the field will be null in V2 response. In V1 response, it can only be an empty array. We can tell whether this is V2 response based on that.

[junrao]

In V1, if there is a top level error, we don't populate the results array, right?

[jolshan]

Right now we don't, but we also don't set a top level error if a feture fails. I can amend this to not return the results array in the error case.

[junrao]

In V1, if we get a top level error like NOT_CONTROLLER, we don't populate the results array, right?

If we fail fast for V1, we could just do the same thing, i.e. set a top level error and don't populate the results array.

[jolshan]

Yup -- the key difference between not controller and a feature specific error is that we want the user to know which feature failed still. That's why the error message is crucial.

[jolshan]

Ok. I believe I've pushed the code with this implementation. Please take a look when you get a chance :)

[junrao]

Thinking about a bit more. Even for V0/V1 request, it's probably better to enforce the dependency check since it's more correct. Perhaps it's better to just fail fast for all versions?

[jolshan]

Is it a breaking change to only return partial results though?

[junrao]

In 3.9, there is only one feature that one could set. So that behavior won't be changing even if we fail fast?

[jolshan]

Hmm -- 3.9 has kraft and metadata version right?

I'm also wondering about the case where someone is using an old client on a new server (maybe not common) and there could be many features

[junrao]

Hmm -- 3.9 has kraft and metadata version right?

That's true.

Here is my reasoning. The old behavior of v1 allows the setting of kraft.version=1 and metadata.version=3.8. However, this is incorrect since kraft.version=1 depends on metadata.version=3.9. So, by failing fast, we are fixing a bug here.

Failing fast does mean that we disallow certain old behavior like accepting metadata.version=3.8 and rejecting kraft.version=-1. But the impact is not as important.

[junrao]

@jolshan : Thanks for the updated PR. A few more comments.

[junrao]

Do we need to construct the new error message? FeatureControlManager.invalidUpdateVersion already includes the feature name in the error message.

[jolshan]

I think I originally did this to also include the exception name but if we just take it as the top level exception we don't need to do this.

[jolshan]

2 test failures look related so i will take a look.

[junrao]

@jolshan : Thanks for the updated PR. Made a pass of all files. A few more comments.

[junrao]

We added updates in UpdateFeaturesResponse createWithErrors(ApiError topLevelError, Set<String> updates, int throttleTimeMs) just for this call. But if this call is wrong anyway, it seems it's simpler to just remove updates?

[jolshan]

This is also used for None errors in the KafkaAdminClient test testUpdateFeaturesHandleNotControllerException. Maybe it is not totally necessary though. The other thing that is a little interesting about that test is that it doesn't serialize the result -- so it will always look like the v1 response.

[junrao]

If any update fails, we should have a top level error.

But this path has no top level error.

[jolshan]

The comment was trying to say that if the feature (what is being checked) failed, there should be a non-NONE error. Since there is a NONE error, the future should be successful. I can try to re-word to make it clearer.

[junrao]

Which version of the response are we testing here? If it's the latest version, the set should be empty, right?

[jolshan]

Ah yeah, I referenced this above. There is no serialization so this is going to respond like a v1 request (we won't ignore the feature fields).

I can change it to not do this, but I wonder if we have testing for v1 responses now. 🤔

[jolshan]

Maybe I will add some v1/v2 tests here, and one for the serialization in the UpdateFeaturesResponseTest

[junrao]

@jolshan : Thanks for the updated PR. Just one more comment.

[junrao]

@jolshan : Thanks for the updated PR. LGTM. It would be useful to update the KIP and the mailing list with the changes.

[jolshan]

: Thanks for the updated PR. LGTM. It would be useful to update the KIP and the mailing list with the changes.

Yes! I will do that. Thanks for the thorough reviews Jun!

[jolshan]

I also noticed my comment about version 2 is off. I will update that in the json.

[junrao]

@jolshan : Thanks for the latest update. LGTM