feat: add command topic offset to commands and perform validation based on offset when executing commands

[stevenpyzhang]

Description

Based off of discussion in #3278 and #2435.

This PR adds an offset value to both Command and QueuedCommand objects. The field in Command represents the point when a Ksql statement was validated and put on the CommandTopic. The field in QueuedCommand represents the offset that the command was read from, it's assigned from the corresponding Kafka ConsumerRecord.offset()

Request Validator was also rewritten to take a KsqlExecutionContext instead of a ServiceContext

This change also makes it so that when a statement that creates a query is executed, query_id generation can utilize the current statement offset instead of relying on incrementing a value (Future PR).

Testing done

Local tests
Update existing tests

Reviewer checklist

• Ensure docs are updated if necessary. (eg. if a user visible feature is being added or changed).
• Ensure relevant issues are linked (description should include text like "Fixes #")

[stevenpyzhang]

I ended up splitting updating the offset and the snapshot into two separate calls because there appears to be a race condition that can occur when a KsqlRequest contains multiple statements.

The integration test KsqlResourceFunctionalTest.shouldHandleInterDependantCsasTerminateAndDrop was failing

 final List<KsqlEntity> results = makeKsqlRequest(
        "CREATE STREAM SS AS SELECT * FROM " + PAGE_VIEW_STREAM + ";"
            + "TERMINATE CSAS_SS_" + NEXT_QUERY_ID.get() + ";"
            + "DROP STREAM SS;"

These commands are being pushed to the command topic in this order

Command{statement='CREATE STREAM SS WITH (KAFKA_TOPIC='SS', PARTITIONS=1, REPLICAS=1) AS SELECT *
FROM PAGEVIEWS_ORIGINAL PAGEVIEWS_ORIGINAL
EMIT CHANGES;',commandTopicOffset=1, overwriteProperties={}}
Command{statement='TERMINATE CSAS_SS_0;',commandTopicOffset=1, overwriteProperties={}}
Command{statement='DROP STREAM SS;',commandTopicOffset=2, overwriteProperties={}}

The terminate command isn't being executed since the offset signature doesn't match the current one, which then causes the drop statement to fail.

[rodesai]

The problem with doing this is that we now have a race. The runner thread does:
1. Set the new offset/signature
2. Run the command
3. Set the new snapshot

A conflicting request can come in and be validated between 1 and 2, but not actually be a valid request.

Instead, we can add a recompute() method to SnapshotWithOffset that returns a new SnapshotWithOffset with an updated offset/signature (implemented by incrementing the offset). We'd also need to know when to call recompute. We can do that by passing in a predicate from KsqlResource that returns true if the command doesn't have a custom executor.

[rodesai]

Another option, which I think I like better would be to add the notion of a "batch" to CommandStore. So you could have something like:

class CommandStore {
    BatchContext newBatch(final long offset) {
        return new BatchContext(offset);
    }

    // then add BatchContext as an argument
    enqueueCommand(final BatchContext ctx, final String statement, ...) {
        final Command command = new Command(ctx.offset(),...);
        ctx.incrementOffset();
    }
}

[rodesai]

Thanks, @stevenpyzhang! I think we are on the right track, but need to tighten up some raciness. I've left that feedback in-line. I also think that we should use the name "signature" rather than "offset" outside of the CommandStore - the fact that we're using the offset is an implementation detail.

[rodesai]

Combine these into a common call setSnapshotWithOffset - we need to update them together atomically.

[rodesai]

We need to complete the command with an error so that the request thread is not blocked.

[rodesai]

The offset we put in the command needs to be the exact same offset used when validating - by this point the offset may have changed. We should instead pass the offset in (which we validated against), and write that offset into the command.

[rodesai]

I would refer to this as a validationSignature. The fact that we're using the offset is an implementation detail.

[agavra]

I personally like offset because it also provides some guarantees its characteristics (i.e. monotonically increasing) - so it gives more, perhaps useful, information beyond "signature"

[rodesai]

The problem with doing this is that we now have a race. The runner thread does:
1. Set the new offset/signature
2. Run the command
3. Set the new snapshot

A conflicting request can come in and be validated between 1 and 2, but not actually be a valid request.

Instead, we can add a recompute() method to SnapshotWithOffset that returns a new SnapshotWithOffset with an updated offset/signature (implemented by incrementing the offset). We'd also need to know when to call recompute. We can do that by passing in a predicate from KsqlResource that returns true if the command doesn't have a custom executor.

[rodesai]

Combine setOffsetValue and setSnapshot into 1 method. In that method, we should create a new SnapshotWithOffset with the new snapshot/offset. Then, having made snapshotWithOffset an atomic reference as suggested above, we should do snapshotWithOffset.set(/* the new object we created */)

[rodesai]

Change this to AtomicReference<SnapshotWithOffset>. Then we can safely read it from the request threads even as its written by the command runner thread.

[rodesai]

Having changed snapshotWithOffset to an atomic reference, this would be snapshotWithOffset.get();

[rodesai]

rename to SnapshotWithSignature

[agavra]

Just leaving a comment saying that I'd like to review this before committing! I'll get to this tomorrow :)

[agavra]

I think we're trying to batch too many nuanced changes together with this one PR, and some that (in my opinion) need a more thorough design, perhaps even a KLIP so that the problem can be clearly understood. Writing distributed validation is a really hard problem (you can see my failed attempt in #2582), and if I understand correctly the more urgent problem we're trying to solve isn't #2435 but rather #3269, which doesn't need that.

For this change, I'd be more comfortable sticking to just adding the offset to QueuedCommand and using that in queryID generation (and just using -1 for queryID generation on the REST side validation) - we can handle race conditions in a future change.

cc @rodesai - thoughts?

[big-andy-coates]

Thanks @stevenpyzhang

I've not got time to review this this evening, but I'd like to review before its merged... hence requesting changes..

[big-andy-coates]

Offset is a long - we shouldn't be casting it to an int.

[rodesai]

For this change, I'd be more comfortable sticking to just adding the offset to QueuedCommand and using that in queryID generation (and just using -1 for queryID generation on the REST side validation) - we can handle race conditions in a future change.

cc @rodesai - thoughts?

The problem is that this is likely to corrupt data if there are racing commands, and I'd rather not change the query id generation to something we know is broken for even the simple case without restarts. Ideally we'd build the command validation mechanism first, and then build query id generation on top of that.

[stevenpyzhang]

After some offline discussion, this PR will be put on pause for now. There's a smaller PR open now #3343 that just focuses on adding fields to QueuedCommand and Command objects in order to update query id generation code.

[stevenpyzhang]

The new approach is to use Kafka's transactional producer APIs so closing this pr as it's not relevant now.