KAFKA-12677: return not_controller error in envelope response itself

[showuon]

In Kafka Raft mode, the flow sending request from client to controller is like this:

1. client send reqesut to a random controller (ex: A-controller)
2. A-controller will forward the request to active controller (ex: B-controller) to handle the request
3. After active B-controller completed the request, the A-controller will receive the response, and do a check:
   3.1. if the response has "disconnected" or "NOT_CONTROLLER" error, which means the cached active controller is changed. So, clear the cached active controller, and wait for next retry to get the updated active controller from controllerNodeProvider
   3.2. else, complete the request and respond back to client

In this bug, we have 2 issues existed:

1. "NOT_CONTROLLER" exception won't be correctly send back to the requester, instead, UNKNOWN_SERVER_ERROR will be returned. The reason is the NotControllerException is wrapped by a CompletionException when the Future completeExceptionally. And the CompletionException will not match any Errors we defined, so the UNKNOWN_SERVER_ERROR will be returned. Even if we don't want the NotControllerException return back to client, we need to know it to do some check.

fix 1: unwrap the CompletionException before encoding the exception to error.

2. Even if we fixed 1st bug, we still haven't fixed this issue. After the 1st bug fixed, the client can successfully get NotControllerException now, and keep retrying... until timeout. So, why won't it meet the flow 3.1 mentioned above, since it has NotControllerException? The reason is, we wrapped the original request with EnvelopeRequest and forwarded to active controller. So, after the active controller completed the request, responded with NotControllerException, and then, wrapped into an EnvelopeResponse with no error, and then send the EnvelopeResponse back. That is, in the flow 3.1, we only got "no error" from EnvelopeResponse, not the NotControllerException inside.

new: fix 2: Make the envelope response return NotControllerException if the controller response has NotControllerException. So that we can catch the NotControllerException on envelopeResponse to update the active controller.

old: fix 2: in flow 3.1, parse the EnvelopeResponse to check if there's NotControllerException inside.

Note: in the jira ticket we think there's Recorded new controller log, which should already changed to new active controller:

[broker0_:BrokerToControllerChannelManager broker=0 name=heartbeat]: Recorded new controller, from now on will use broker localhost:54229 (id: 3000 rack: null) 

It's is true, but after further investigation, I found it only changed for this thread: broker0_:BrokerToControllerChannelManager broker=0 name=heartbeat. The topic creation thread is forwarding thread: broker0_:BrokerToControllerChannelManager broker=0 name=forwarding, which still using old active controller.

Committer Checklist (excluded from commit message)

• Verify design and implementation
• Verify test coverage and CI build status
• Verify documentation (including upgrade notes)

[dengziming]

This is awesome, I also notice that there is no logic about NOT_CONTROLLER and active controller, I will take some time to test this PR. 👍

[showuon]

@hachikuji @mumrah @abbccdda @cmccabe , could you help review this PR? I'll add tests later. Thank you.

[showuon]

Tests added. Thanks.

[dengziming]

It seems the problem has been fixed, you can make some small changes to trigger the QA some more times to prove this approach is right.

[showuon]

add a requestHeader parameter to do envelope response parsing.

[showuon]

Jenkins PR build results proved the RaftClusterTest tests doesn't fail anymore:
#4: 1 failed test:

Build / JDK 11 and Scala 2.13 / org.apache.kafka.connect.integration.BlockingConnectorTest.testBlockInSinkTaskStop

#5: all tests passed
#6: all tests passed

[showuon]

@dengziming , thanks for the comments. I've updated. Thanks.

[showuon]

@hachikuji @mumrah @abbccdda @cmccabe , call for review since the tests keep failing. Thank you.

[wenbingshen]

@showuon Great finding, thanks for your PR, a trivial suggestion below.

[showuon]

@hachikuji @mumrah @abbccdda @cmccabe , please help review when available. Thank you.

[hachikuji]

@showuon Thanks for the patch. One detail in the description does not seem right to me.

1. "NOT_CONTROLLER" exception won't be correctly send back, instead, UNKNOWN_SERVER_ERROR will be returned. The reason is the NotControllerException is wrapped by a CompletionException when the Future completeExceptionally. And the CompletionException will not match any Errors we defined, so the UNKNOWN_SERVER_ERROR will be returned.

The client is not necessarily trying to reach the controller. It is sending a request to a broker and the fact that we forward it to a controller is an implementation detail. So the NOT_CONTROLLER error does not make sense for the client. That is why we do not return it. We decided instead that if the controller could not be reached before expiration of the timeout, then we would return REQUEST_TIMED_OUT instead.

That aside, it is not very clear to me why we need to parse the envelope response. The intent was to return NOT_CONTROLLER as the error code in the EnvelopeResponse itself. Perhaps there is a race condition in the controller handling where this is not working? Probably that is what we should fix.

[showuon]

@hachikuji , thanks for your explanation.

The client is not necessarily trying to reach the controller. It is sending a request to a broker and the fact that we forward it to a controller is an implementation detail. So the NOT_CONTROLLER error does not make sense for the client. That is why we do not return it.

The intent was to return NOT_CONTROLLER as the error code in the EnvelopeResponse itself. Perhaps there is a race condition in the controller handling where this is not working? Probably that is what we should fix.

That makes sense! I'll look into it and let you know. Thank you.

[showuon]

@hachikuji , I checked and there's no race condition there. The reason why we didn't put NOT_CONTROLLER in EnvelopResponse itself is because we will build envelopeResponse with no error as long as we got response from handler (createTopics handler in this case) here. So, in ControllerApi#handleCreateTopics, we'll sendResponse when future completed, and then RequestHandlerHelper#sendResponseMaybeThrottle, we'll buildResponseSend and then go to the above link location.

So, to fix this issue, I need to build EnvelopeResponse with NotControllerError when the response from handler is having NotControllerError (fix 2). But if we don't have (fix 1), we can only get Unknown_Server_Error in the response from handler because the NotControllerError is wrapped with CompletionException.

That's my solution. Please help review. Thank you very much!

[showuon]

fix 1: unwrap the CompletionException to get the original exception inside. Even if we don't want the NotControllerException return back to client, we need to know it to do some check.

[showuon]

@hachikuji , call for review. Thanks.

[hachikuji]

@showuon Thanks for the updates. Makes sense overall, but left a couple comments.

[hachikuji]

Ok, I think this makes sense. Basically we were missing the same logic we have in KafkaApis.handleEnvelope to verify the controller status. Instead, we just send the request into the controller thread. Do I have that right? I guess another way we could do it is to send the full envelope into the controller and let it set the NOT_CONTROLLER error at the right level, but that might take some refactoring and this solution seems reasonable as well.

[hachikuji]

Hmm, a little strange to handle this case explicitly and not others. Would we want to handle ExecutionException as well for example?

Also, the comment seems to be missing some context. Which future does it refer to? Maybe it would be helpful to point to the specific usage that requires this.

[showuon]

ExecutionException -> good point! Updated. Thanks.

[showuon]

@hachikuji , I've updated addressed your comments. Please take a look again. Thank you.

[showuon]

Failed tests are unrelated. Thanks.

    Build / ARM / kafka.raft.KafkaMetadataLogTest.testDeleteSnapshots()
    Build / ARM / kafka.raft.KafkaMetadataLogTest.testDeleteSnapshots()
    Build / JDK 8 and Scala 2.12 / org.apache.kafka.connect.integration.BlockingConnectorTest.testBlockInConnectorInitialize
    Build / JDK 8 and Scala 2.12 / org.apache.kafka.connect.integration.ExampleConnectIntegrationTest.testSinkConnector
    Build / JDK 8 and Scala 2.12 / kafka.raft.KafkaMetadataLogTest.testDeleteSnapshots()
    Build / JDK 8 and Scala 2.12 / kafka.raft.KafkaMetadataLogTest.testDeleteSnapshots()
    Build / JDK 11 and Scala 2.13 / kafka.api.ConsumerBounceTest.testCloseDuringRebalance()
    Build / JDK 11 and Scala 2.13 / org.apache.kafka.streams.integration.EOSUncleanShutdownIntegrationTest.shouldWorkWithUncleanShutdownWipeOutStateStore[exactly_once_v2]
    Build / JDK 11 and Scala 2.13 / org.apache.kafka.streams.integration.EosV2UpgradeIntegrationTest.shouldUpgradeFromEosAlphaToEosV2[true]
    Build / JDK 16 and Scala 2.13 / org.apache.kafka.connect.integration.ConnectWorkerIntegrationTest.testBrokerCoordinator
    Build / JDK 16 and Scala 2.13 / org.apache.kafka.connect.integration.ConnectorClientPolicyIntegrationTest.testCreateWithAllowedOverridesForPrincipalPolicy
    Build / JDK 16 and Scala 2.13 / kafka.api.ConsumerBounceTest.testCloseDuringRebalance()
    Build / JDK 16 and Scala 2.13 / kafka.api.ConsumerBounceTest.testCloseDuringRebalance()
    Build / JDK 16 and Scala 2.13 / kafka.api.TransactionsTest.testAbortTransactionTimeout()
    Build / JDK 16 and Scala 2.13 / kafka.api.TransactionsTest.testAbortTransactionTimeout()

[hachikuji]

Thanks for the updates. Left a couple minor comments.

[hachikuji]

nit: throwableToBeEncoded?

[showuon]

Updated.

[hachikuji]

Do we have a test case which fails without this fix?

[showuon]

Added

[hachikuji]

nit: we're a little inconsistent in the comments when referring to the NOT_CONTROLLER error. Here we use "Not Controller" while in the tests we use "Not_Controller." I would suggest using "NOT_CONTROLLER" consistently.

[showuon]

@hachikuji , thanks for the reminder. Yes, I forgot to add tests for that area. Added. Thank you.

[cmccabe]

Hmm, I don't think 0.12 seconds is a good timeout for these integration tests. I would be OK cutting the time down to 60 seconds per test, though, rather than 120.

[hachikuji]

I think the default unit is seconds, so this is 120s.

[hachikuji]

@showuon Thanks for the updates. Just a few more small comments.

[hachikuji]

nit: use lower case ResponseWithoutError

[hachikuji]

Another useful test case is when the inner response has an error which is different from NOT_CONTROLLER. In this case, we expect no envelope error.

[showuon]

Good suggestion! Added testEnvelopeBuildResponseSendShouldReturnNoErrorIfInnerResponseHasNoNotControllerError

[hachikuji]

nit: it's a bit confusing that buildRequestWithEnvelope creates an alter config request, which we then respond to with a metadata response. Could we let buildRequestWithEnvelope provide the AbstractRequest so that we can use a MetadataRequest? For example, see KafkaApis.buildRequestWithEnvelope. Probably we could factor out a common method.

[showuon]

Put the buildRequestWithEnvelope method in TestUtils class to share between KafkaApisTest and RequestChannelTest. And also use MetadataRequest as input. Thank you.

[hachikuji]

nit: lower case envelopeBuffer2

[hachikuji]

nit: I think we can make this a little more concise. How about this?

// Get the underlying cause for common exception types from the concurrent library. 
// This is useful to handle cases where exceptions may be raised from a future or a 
// completion stage (as might be the case for requests sent to the controller in 
// `ControllerApis`)

[showuon]

Thanks for the suggestion! Updated.

[hachikuji]

nit: we're a little inconsistent in the comments when referring to the NOT_CONTROLLER error. Here we use "Not Controller" while in the tests we use "Not_Controller." I would suggest using "NOT_CONTROLLER" consistently.

[showuon]

@hachikuji , I've addressed your comments. Please take a look again.

Failed tests are unrelated. Thanks.

    Build / JDK 11 and Scala 2.13 / kafka.api.ConsumerBounceTest.testCloseDuringRebalance()
    Build / JDK 11 and Scala 2.13 / kafka.api.ConsumerBounceTest.testCloseDuringRebalance()
    Build / JDK 11 and Scala 2.13 / kafka.api.TransactionsTest.testSendOffsetsToTransactionTimeout()
    Build / JDK 11 and Scala 2.13 / kafka.api.TransactionsTest.testCommitTransactionTimeout()
    Build / JDK 8 and Scala 2.12 / kafka.api.ConsumerBounceTest.testCloseDuringRebalance()
    Build / JDK 8 and Scala 2.12 / kafka.server.RaftClusterSnapshotTest.testContorllerSnapshotGenerated()

[hachikuji]

LGTM. Thanks for the patch!