KAFKA-19078: Automatic controller addition to cluster metadata partition

[kevin-wu24]

Add the controller.quorum.auto.join.enable configuration. When enabled
with KIP-853 supported, follower controllers who are observers (their
replica id + directory id are not in the voter set) will:

• Automatically remove voter set entries which match their replica id
  but not directory id by sending the RemoveVoterRPC to the leader.
• Automatically add themselves as a voter when their replica id is not
  present in the voter set by sending the AddVoterRPC to the leader.

Reviewers: José Armando García Sancio
jsancio@apache.org, Chia-Ping Tsai
chia7712@gmail.com

[jsancio]

Thanks for the feature @kevin-wu24 . Reviewed src/main. Need to review the tests.

[jsancio]

Okay. I think we should document why we require both followersAlwaysFlush and autoJoinEnable to be true.

[jsancio]

Feature description: https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=217391519#KIP853:KRaftControllerMembershipChanges-Controllerautojoining

Add the controller.quorum.auto.join.enable configuration. When enabled with KIP-853 supported, follower controllers who are observers (their replica id + directory id are not in the voter set) will:

• Automatically remove voter set entries which match their replica id but not directory id.
• Automatically add themselves as a voter when their replica id is not present in the voter set.

I am going to use this description to generate the commit message. I don't think we should include URLs in the commit description. Ideally, the commit message should explain the changes without having to read other documents.

[jsancio]

Thanks for the changes.

[jsancio]

This cast to RemoveRaftVoterResponseData yet the method is for handleAddVoterResponse. Do the tests pass for you? How is that possible with this cast?

[kevin-wu24]

I think this is because we are not testing the response handling anywhere. In the unit tests we are only asserting that the add/remove voter request was sent when we expect it.

I think we should do something like with fetch where we complete the request (I assume this testing method executes the handleFetchResponse). I need to see how we implement this for fetch.

[jsancio]

Doesn't KafkaRaftClientAutoJoinTest send add voter and remove voter responses to the replica?

[kevin-wu24]

Yeah it does, I just looked at the code again. The tests do pass, but this is because this line in the test is sending a remove voter response: https://github.com/apache/kafka/pull/19589/files#diff-7b1538d9f4f7f1e27a444aac55ced6f780e22bfdd8af4462e82d62c24f778c85R94.
Both the implementation and test need to be fixed, thanks for the catch.

[jsancio]

Do we need a test that fully does a remove followed by an add? E.g.

0. Start with the local replica not in the voter set but the id in the voter set.
1. Remove voter is sent and acknowledged.
2. Next FETCH response send the VOTER_RECORD control batch without the voter in the old voter in the voter set.
3. Add voter is sent and acknowledged.
4. Next FETCH response send a VOTER_RECORD control btach with the local replica in the voter set.

[kevin-wu24]

I think we can add one since it acts as like a pseudo-integration test for the feature. I'm not seeing anywhere in KafkaRaftClientReconfigTest or KafkaRaftClientFetchTest that covers step 2. I see a KafkaRaftClientTest#testFollowerReplication but it doesn't add control records in the FETCH response when kraft.version == 1.

[jsancio]

After this, I think we should check that remove voter is sent after completeFetch.

[kevin-wu24]

I'm a bit confused. Why would we do this check again? I'm already doing this check from L52-56.

[jsancio]

I think we need to cover the case where the new voter sent a add/remove voter RPC. The RPC was acknowledge but the log was never updated (fetch responses didn't include the updated voter set). In this case the new voter will send another add/remove voter RPC after "update voter set period timer", right?

[kevin-wu24]

Okay. Since the local replica is still an observer, it should still try to add/remove itself if the log hasn't been updated with fetch.

[jsancio]

After this, I think we should check that add voter is sent after another completeFetch?

[jsancio]

Thanks for the great tests. We should be able to merge this improvement soon.

[jsancio]

Try using if (...) { return } else if (...) { return } ... and see if that reduces the path complexity so you can remove this suppression.

You can also try using Java's new pattern matching and lambda syntax for switch statements. E.g.

return switch (requestData) {
    case VoterRequestData voterData -> new VoterRequest.Builder(voterData);
    ...
    default -> throw new IllegalArgumentException(...);
}

[kevin-wu24]

I think I did this, but I got a build error when running ./gradlew jar. It's pretty weird, because we're supposed to be on Java 17 according to gradle, and my IDE said that this kind of instanceof switch matching is supported in Java 17+. Let me try this again and put the actual error message here.

[kevin-wu24]

This is what I get when running ./gradlew jar:

error: patterns in switch statements are a preview feature and are disabled by default.
...
(use --enable-preview to enable patterns in switch statements)

[kevin-wu24]

Try using if (...) { return } else if (...) { return } ... and see if that reduces the path complexity so you can remove this suppression.

This worked, thanks!

[jsancio]

Yeah. I think I have seen this before. I think Java 21 is the oldest release that implemented pattern matching.

[jsancio]

Replace "are always flushing" with "can become a voter."

[jsancio]

Missing newline.

                    VoterSetTest.voterSet(Stream.of(leader)).toVotersRecord((short) 0)
                ),

[jsancio]

Missing newline.

                    VoterSetTest.voterSet(Stream.of(leader, newFollowerKey)).toVotersRecord((short) 0)
                ),

[jsancio]

How about adding this time advancement and showing that the replica sent a fetch request?

        context.advanceTimeAndFetchToUpdateVoterSetTimer(epoch, leader.id());
        context.time.sleep(context.fetchTimeoutMs - 1);

[kevin-wu24]

Just added and cleaning up this test file for readability, since there's a lot of duplicate code.

[kevin-wu24]

I added the sleep method as part of the advanceTimeAndCompleteFetch helper, since that is what actually expires the timer. I also added a boolean flag to the method to determine whether sleep is called again.

[jsancio]

@kevin-wu24 , can you resolve the conflicts?

[jsancio]

Thanks for the changes @kevin-wu24 . Partial review.

[jsancio]

Okay. Is there a way to get the exact directory id (UUID) and compare against that instead?

[kevin-wu24]

Yeah, I can check that each replica has the exact metadata dir ID as what is in the TestKitNodes.

[jsancio]

Why is this the negative of auto join? Shouldn't it always be false? If KRaft send an "add voter" request, it should always be version 1 and return before committing.

[jsancio]

This is the add voter request specific for the kraft implementation. "Ack when committed" should always be false. If that's true then let's remove this parameter and not give the caller the option to set it. In the implementation, the method should always call setAckWhenCommitted(false).

[kevin-wu24]

"Ack when committed" should always be false

I don't think this is true, since there are callers of this method in KafkaRaftClientReconfigTest that do test sending an AddVoterRequest with ackWhenCommitted == true since it is testing the leader state when receiving this RPC. I agree that KafkaRaftClient should always call this method with false.

[jsancio]

I see. That's fair.

[jsancio]

Flip the order of these parameters. The kraft module has a pattern of using the last parameter as the current time when needed.

[jsancio]

Let's fix this indentation. How about:

        pollAndDeliverFetchToUpdateVoterSet(
            context,
            epoch,
            VoterSetTest.voterSet(Stream.of(leader, newVoter))
        );

[jsancio]

Let's not give the caller the option to override this. This value should always be false and this method should just check for that explicitly.

[jsancio]

This assumes that the voter set only has one voter hence one record.

[kevin-wu24]

Why does this assume the voter set only has one voter? Which voter set are you referencing?

testObserverRemovesOldVoterAndAutoJoins has the voter set go from size 2, to size 1, and then back to size 2 by having a follower node complete the whole "auto-join" flow (i.e. remove its old self and and its new self to the voter set).

[jsancio]

Hmm. Maybe we can use context.time.milliseconds().

[jsancio]

Thanks @kevin-wu24 . I think we should be able to merge this soon.

[jsancio]

I see. That's fair.

[jsancio]

This backoff not correct now that observers can send AddVoter and RemoveVoter requests. Take a look how I solved it for pollFollowerAsVoter.

[jsancio]

Let's add a shouldSendAddOrRemoveVoterRequest similar to shouldSendUpdateVoterRequest. This would allow you to better document this predicate.

[jsancio]

Please document why we need this predicate. See shouldSendUpdateVoteRequest for an example.

[jsancio]

See my other comment but you can move this comment to shouldSendAddOrRemoveVoterRequest.

[jsancio]

Observer don't need to backoff until the fetch timeout since observer do not read or handle fetch timeouts.

[jsancio]

LGTM

[chia7712]

@kevin-wu24 thanks for this cool function! I have a couple of questions. Please take a look when you have some free time.

[chia7712]

I didn't see any usage of the timeout. Is that expected?

[kevin-wu24]

I didn't see any usage of the timeout.

Can you elaborate a bit more about this? I'm not sure what you mean.

The AddRaftVoterRequest is handled in a separate Java class, AddVoterHandler.

[kevin-wu24]

I think I see what you mean @chia7712.

The leader does have timeout logic to expire the pending AddVoterRequest when it sends the ApiVersionsRequest. But it doesn't check the client-side timeout sent as part of the request has expired. In practice, this doesn't affect too much because the leader will either time out the request during the APIVersions handling, or if unable to commit the new voters record, will resign. The important thing is that the leader does not get stuck with a pending voters operation. For the purposes of auto-join PR, adding handling for the client-side timeout is out of scope.

Additionally, for the default timeout of an AdminClient request to add/remove a voter (1 min IIRC), the fetch timeout is significantly smaller, so it won't matter. If the timeout is sufficiently small enough, then we are missing handling on the server-side.

Filed https://issues.apache.org/jira/browse/KAFKA-19600 as a follow-up.

[chia7712]

Set.of(3000, 3001, 3002)

[chia7712]

voterDirectoryid -> voterDirectoryId

[chia7712]

Perhaps we could remind that, in this path, the directory ID must be different.

[kevin-wu24]

Sure, I can clarify the comment.

[chia7712]

LGTM. I'm leaving a follow-up suggestion.

[chia7712]

@kevin-wu24 it would be cool if users could find out about this new config through upgrade.html. Could you please consider addressing it in the follow-up?

[kevin-wu24]

Filed https://issues.apache.org/jira/browse/KAFKA-19604

[chia7712]

In the broker node, the state timeout is not reset in voter-related responses. As a result, the 0 returned by remainingUpdateVoterSetPeriodMs can lead to a busy loop, which increases CPU usage. Could you please take a look?

[chia7712]

open https://issues.apache.org/jira/browse/KAFKA-19605

[kevin-wu24]

Yeah, for a broker, this return statement will eventually always return 0 since we have no way to reset it. I don't think conceptually it makes sense to reset that timer upon receiving a FetchResponse. Instead we should not read that timer's value when determining the backoff if we are a broker.

[kevin-wu24]

Opened #20354