MINOR: enable topic deletion in the KIP-500 controller

[cmccabe]

Enable the new KIP-500 controller to delete topics.

Fix a bug where feature level records were not correctly replayed.

Fix a bug in TimelineHashMap#remove where the wrong type was being
returned.

[rondagostino]

Successfully ran the system test that was previously failing due to an inability to delete topics:

TC_PATHS="tests/kafkatest/tests/core/replica_scale_test.py::ReplicaScaleTest.test_clean_bounce" bash tests/docker/run_tests.sh

test_id:    kafkatest.tests.core.replica_scale_test.ReplicaScaleTest.test_clean_bounce.topic_count=50.partition_count=34.replication_factor=3.metadata_quorum=REMOTE_RAFT
status:     PASS
run time:   8 minutes 17.307 seconds

[chia7712]

overall LGTM. some minor questions are left. Please take a look.

[cmccabe]

rebased on trunk

[chia7712]

Thanks for updating code. Some minor comments are left. Please take a look.

[cmccabe]

rebased on trunk

[cmccabe]

rebased on trunk

[chia7712]

@cmccabe thanks for updating code. please take a look at following minor questions.

[hachikuji]

The error should be TOPIC_AUTHORIZATION_FAILED if the client does not have describe permission regardless of existence.

[cmccabe]

I think there are 5 cases:

1. name provided, topic exists, can't delete, maybe can describe => TOPIC_AUTHORIZATION_FAILED
2. name provided, topic doesn't exist, can't delete, can describe => UNKNOWN_TOPIC_OR_PARTITION
3. name provided, topic doesn't exist, can't delete, can't describe => TOPIC_AUTHORIZATION_FAILED
4. id provided, topic exists, can't delete, maybe can describe => TOPIC_AUTHORIZATION_FAILED
5. id provided, topic doesn't exists, can't delete, maybe can describe => UNKNOWN_TOPIC_ID

[jolshan]

For case 4, are we exposing the topic exists by returning a different error (than case 5) in the case where we can't describe?

[cmccabe]

You're right, the earlier list was not quite right. I've revised this a bit. It's now:

no name or id => INVALID_REQUEST

duplicate name or id => INVALID_REQUEST

can't resolve topic id => UNKNOWN_TOPIC_ID

can't locate topic name => UNKNOWN_TOPIC_OR_PARTITION

no delete permission, no describe permission => UNKNOWN_TOPIC_ID (if topic id was provided) or UNKNOWN_TOPIC_OR_PARTITION (if topic name was provided)

no delete permission, describe permission => TOPIC_AUTHORIZATION_FAILED with both name and id filled out correctly

The new code should implement this correctly...

[jolshan]

@cmccabe Oh sorry this just got changed due to https://issues.apache.org/jira/browse/KAFKA-12394
So the case of no delete permission, no describe permission, topic ID provided is now TOPIC_AUTHORIZATION_FAILED. This may have been what you had initially.

[junrao]

@cmccabe : Thanks for the PR. Added a couple of comments.

[junrao]

Should we update brokersToIsrs too?

[cmccabe]

The ISRs should already have been updated by BrokerChangeRecords that were previously replayed.

[junrao]

Hmm, you mean PartitionChangeRecord? I don't see PartitionChangeRecord being generated from the topicDeletion request.

[cmccabe]

Sorry, you're right: we need to remove this from brokersToIsrs. Fixed.

[junrao]

I guess we haven't hooked up the logic to trigger the deletion of the replicas of the deleted topic in the broker?

[cmccabe]

We haven't hooked that up yet, correct. But that logic is in BrokerMetadataListener. It would probably be better to have a separate PR for that.

[junrao]

@cmccabe : Thanks for the explanation. A couple of more comments.

[junrao]

Hmm, you mean PartitionChangeRecord? I don't see PartitionChangeRecord being generated from the topicDeletion request.

[junrao]

We also need to delete the configuration associated with the topic.

[hachikuji]

Is the deletion of topic configurations implicit based on the DeleteTopic record? I know we discussed this, but I'm unsure what the final outcome was. I don't see any logic for this in the broker listener, but the implementation looks incomplete anyway.

[cmccabe]

Yes, it should be implicit based on the DeleteTopic record. I will fix the controller to do the right thing here. We'll also need to have the broker do that too.

[chia7712]

@cmccabe Thanks for updating PR.

this code ends up being complicated. Could it be separated and then reused by ControlApis and KafkaApis? I left same comment on #10223 (#10223 (comment))

[ijuma]

@cmccabe I pushed a commit that removes a bunch of unnecessary asScala conversions (even though these don't copy the collection, they add a shallow allocation and indirection and the code is shorter with these changes - win/win).

[chia7712]

@cmccabe Thanks for handling this very, very, very complicated code. a couple of comments are left. Please take a look.

[hachikuji]

Is the deletion of topic configurations implicit based on the DeleteTopic record? I know we discussed this, but I'm unsure what the final outcome was. I don't see any logic for this in the broker listener, but the implementation looks incomplete anyway.

[rondagostino]

The below, if added as tests/kafkatest/sanity_checks/test_delete_topic.py, fails for the Raft cases on this PR branch as of this moment because the broker fails to shutdown. The following appears in the controller log:

[2021-03-02 21:41:13,354] INFO [Controller 1] Unfenced broker 1 has requested and been granted a controlled shutdown. (org.apache.kafka.controller.BrokerHeartbeatManager)
[2021-03-02 21:41:13,355] WARN [Controller 1] org.apache.kafka.controller.QuorumController@3fa533f1: failed with unknown server exception RuntimeException at epoch 1 in 802 us.  Reverting to last committed offset 5. (org.apache.kafka.controller.QuorumController)
java.lang.RuntimeException: Topic ID VnD54LHq2t3qq_m1WLasZg existed in isrMembers, but not in the topics map.
	at org.apache.kafka.controller.ReplicationControlManager.handleNodeDeactivated(ReplicationControlManager.java:752)
	at org.apache.kafka.controller.ReplicationControlManager.processBrokerHeartbeat(ReplicationControlManager.java:931)
	at org.apache.kafka.controller.QuorumController$1.generateRecordsAndResult(QuorumController.java:911)
	at org.apache.kafka.controller.QuorumController$ControllerWriteEvent.run(QuorumController.java:419)
	at org.apache.kafka.queue.KafkaEventQueue$EventContext.run(KafkaEventQueue.java:121)
	at org.apache.kafka.queue.KafkaEventQueue$EventHandler.handleEvents(KafkaEventQueue.java:200)
	at org.apache.kafka.queue.KafkaEventQueue$EventHandler.run(KafkaEventQueue.java:173)
	at java.lang.Thread.run(Thread.java:748)

Maybe add this system test to this PR as tests/kafkatest/sanity_checks/test_delete_topic.py?

# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.


from ducktape.mark import matrix
from ducktape.mark.resource import cluster
from ducktape.tests.test import Test

from kafkatest.services.kafka import KafkaService, quorum
from kafkatest.services.zookeeper import ZookeeperService
import time

class TestDeleteTopic(Test):
    """Sanity checks that we can create and delete a topic and then shutdown."""
    def __init__(self, test_context):
        super(TestDeleteTopic, self).__init__(test_context)

        self.topic = "test_topic"
        self.zk = ZookeeperService(test_context, num_nodes=1) if quorum.for_test(test_context) == quorum.zk else None
        self.kafka = KafkaService(test_context, num_nodes=1, zk=self.zk,
                                  topics={self.topic: {"partitions": 1, "replication-factor": 1}},
                                  controller_num_nodes_override=1)
    def setUp(self):
        if self.zk:
            self.zk.start()

    @cluster(num_nodes=2)
    @matrix(metadata_quorum=quorum.all)
    def test_delete_topic(self, metadata_quorum):
        """
        Test that we can create and delete a topic and then shutdown
        """
        self.kafka.start()
        self.kafka.delete_topic(self.topic)
        time.sleep(10) # give it a bit to take effect
        self.kafka.stop() # explicit stop so that failure to stop fails the test

[hachikuji]

@rondagostino I believe that error will be fixed by https://issues.apache.org/jira/browse/KAFKA-12403.

[cmccabe]

Thanks for the reviews! I reworked the authentication, validation, and de-duplication code a lot. The new logic should take into account the issues pointed out here. I resolved a few comment threads since they refer to code that was refactored-- please take another look if you get a chance.

To clarify a bit, RemoveTopicRecord should imply some other effects:

• All topic configs for the affected topic should be deleted
• We should delete all the partitions of the deleted topic
• We should remove the topic from brokersToIsrs

The fact that it wasn't doing these things was a bug... it's fixed now. This should also allow the ducktape test to work (cc @rondagostino )

We also have a JIRA to follow up on the broker side: https://issues.apache.org/jira/browse/KAFKA-12403

[rondagostino]

[2021-03-02T22:42:17.438Z] [ant:checkstyle] [ERROR] /home/jenkins/jenkins-agent/workspace/Kafka_kafka-pr_PR-10184/metadata/src/main/java/org/apache/kafka/controller/ReplicationControlManager.java:76:8: Unused import - java.util.Set. [UnusedImports]

[chia7712]

@cmccabe thanks for updating code.

The following comments are used to make sure the error handle (and response) is consistent to #10223

please take a look.

[hachikuji]

LGTM. @junrao Would you mind checking over the last two commits I added?

[junrao]

@hachikuji : Thanks for the updated PR. Just a couple of more comments.

[junrao]

Hmm, why do we need to remove for -1 broker? It doesn't seem that brokersToIsrs tracks that.

[hachikuji]

The test case BrokersToIsrsTest.testNoLeader suggests that it is a possible case. It looks like the path through ReplicationControlManager.handleNodeDeactivated could result in a PartitionChangeRecord which has leaderId set to -1.

[junrao]

It's true and a partition could have isr and no leader. However, in that case, isrMembers in brokersToIsrs will still be updated with key from replicaId in isr and isr will never have -1 in its list. The noLeader info is only stored in the value of isrMembers.

[hachikuji]

I stepped through testNoLeader and it seems that -1 can indeed be a key in isrMembers. The noLeaderIterator makes the expectation explicit.

[junrao]

Got it. The following comment confirmed this.

    /**
     * A map of broker IDs to the partitions that the broker is in the ISR for.
     * Partitions with no isr members appear in this map under id NO_LEADER.
     */
    private final TimelineHashMap<Integer, TimelineHashMap<Uuid, int[]>> isrMembers;

[chia7712]

+1 to this nice patch. Some trivial comments are left. Please take a look.

[chia7712]

this controller is mock so disabling active works well for this test. However, I did not observe the check of control activity in production code. Could you share that with me?

[hachikuji]

See QuorumController.QuorumMetaLogListener for the callbacks that make the controller active or inactive.

[junrao]

@hachikuji : Thanks for the updated PR. LGTM too.

[junrao]

Got it. The following comment confirmed this.

    /**
     * A map of broker IDs to the partitions that the broker is in the ISR for.
     * Partitions with no isr members appear in this map under id NO_LEADER.
     */
    private final TimelineHashMap<Integer, TimelineHashMap<Uuid, int[]>> isrMembers;

[hachikuji]

Thanks for reviews. I will merge this on behalf of @cmccabe to trunk and 2.8.

[chia7712]

@hachikuji this PR breaks the build (this PR was merged after #10253). Could you file a hot-fix?