KAFKA-16985: Ensure consumer attempts to send leave request on close even if interrupted

[kirktrue]

This change ensures that AsyncKafkaConsumer attempts to leave the group cleanly upon close(), regardless of the timeout or interrupts. The application thread will invoke the ConsumerRebalanceListener’s callback, if present, to release the assignment, and then enqueue a LeaveGroupOnClose for the background thread. The background thread will send out the “leave group” heartbeat, and will notify the application thread (if still waiting) upon response.

Committer Checklist (excluded from commit message)

• Verify design and implementation
• Verify test coverage and CI build status
• Verify documentation (including upgrade notes)

[kirktrue]

@lianetm @philipnee—can I get a review, please 😄

[kirktrue]

Latest test failures look unrelated.

[lianetm]

Thanks for the updates @kirktrue ! Here are some comments after another pass to non-testing files

[lianetm]

this is not needed anymore right?

[kirktrue]

This was removed already. Not sure how it was still showing for you 🤔

[lianetm]

This was the review I mentioned I started adding comments one day, and finished the day after he he, that's probably why.

[lianetm]

nit: matter of changed perception I guess, but what about renaming this to clearly indicate that it is running callbacks? ( ~runRebalanceCallbacksOnClose). I see it's important given the challenges that callbacks bring here

[kirktrue]

Renamed to runRebalanceCallbacksOnClose() as suggested 👍

[lianetm]

up to you, but what about:

Suggested change

	ConsumerGroupMetadata cgm = groupMetadata.get().orElse(null);
	if (cgm == null)
	return;
	if (!groupMetadata.get().isPresent())
	return;
	int memberEpoch = groupMetadata.get().get().generationId();

I find it's comes back clearer later on, to refer to member epoch instead of generation id to determine the callback

[kirktrue]

Refactored as suggested 👍

[lianetm]

why passing a Supplier of CompletableFuture instead of simply passing the CompletableFuture itself? seems more verbose/obfuscated but I could be missing an upside.

In any case passing an Optional maybe suits better? given that we want to represent that the leave may (or may not) receive a future to wait on before sending the request

[kirktrue]

It's an ordering issue 😢

To pass the CompletableFuture into the (internal) leaveGroup() method, the code would have to execute signalMemberLeavingGroup() first. For the ConsumerMembershipManager, signalMemberLeavingGroup() is overridden and calls invokeOnPartitionsRevokedOrLostToReleaseAssignment(). I assumed that invoking invokeOnPartitionsRevokedOrLostToReleaseAssignment() before calling leaveGroup() would throw off the existing logic.

That said, I don't like the use of Supplier here, either. I also wanted to leave the existing code as is, where possible.

Let me know if you have ideas to simplify it.

[lianetm]

we should notify with the full assignment here I would say (assignedPartitions)

[kirktrue]

Done. I should have looked more closely at the actual variable name of addedPartitions 🤦‍♂️

[lianetm]

uhm this is tricky, I wonder if dangerous. Here we are saying that the membership mgr will notify about an assignment that is not really a group assignment (it's manual assign). That notification is then taken on the consumer close to trigger callbacks and send a request to the coordinator (I expect it will all be no-op or throw errors at some point?). I know there is a group check on those operations on close, but we could have groupId but not be in a group if there was never a call to subscribe.

If what we really need in the consumer is a snapshot of group assignment (needed to trigger callbacks), why don't we better keep just that (explicit name, it's not the consumer assignment, it's the consumer group assignment), and do not involve that in this call which is about manual assign? Limiting the scope to what we really need seems to avoid trouble in this case

[kirktrue]

Good catch. I've made the snapshot targeted only for consumer group members. I'd love for it to be more general, but this is the right call. PTAL at the changes when you have the time. Thanks!

[lianetm]

This event does wait for the response from the coordinator right? It's called with addAndGet, and this event future completes when the leaveGroupOnClose in the membershipMgr completes, and that only happens on maybeCompleteLeaveInProgress, when we receive a response to the HB to leave (or skip HB, or get error).

We intentionally did that to keep the same behaviour of the classic consumer (coordinator does awaitPendingRequests on close), and to avoid responses to disconnected clients that we used to have before, when we would send the leave and carry on with the consumer close/shutdown without waiting for a response. Makes sense?

[kirktrue]

The intention is that the event should wait until the response has been received for those cases where the timeout is sufficient. I've updated the comment/documentation.

[kirktrue]

Thanks for the review, @lianetm 🙏

[lianetm]

Hey @kirktrue, thanks for the updates!

[lianetm]

is this suppressWarning needed? (the param is used to complete the future)

[kirktrue]

Removed.

[lianetm]

would it be clearer to have this param explicitly naming what it does vs. when it's used? (ie. runCallbacks). Mainly because this manager knows nothing about closing really, it knows about leaving a group with or without callbacks)

[kirktrue]

Renamed to runCallbacks.

[lianetm]

I wonder if we could avoid propagating the isClosing/runCallbacks to this func that is really about "invokeCallbacks" (we're effectively calling an "invokeCallbacks" func, passing a param "runCallback" that can be false). This seems confusing and could lead to misleading logs I would say (ie. we would end up with the log line "Member completed callbacks..." when it really didn't do that here).

So one idea that comes to mind is to shortcircuit before the signalMemberLeavingGroup:

        if (isClosing/runCallbacks) {
            CompletableFuture<Void> callbackResult = signalMemberLeavingGroup();
            callbackResult.whenComplete((result, error) -> {
                // log callback completion
                ...
                clearAssignmentAndSendLeave(); // encapsulate what we do after callbacks
            });
        } else {
            clearAssignmentAndSendLeave();
        }

What do you think?

[kirktrue]

Added clearAssignmentAndSendLeave() method as suggested.

[lianetm]

typo unsubscribing

[kirktrue]

Fixed.

[lianetm]

we can reuse the toTopicPartitionSet already defined in this same class

[kirktrue]

Done. Thanks, the code was ugly 😅

[lianetm]

uhm this should probably go right after the subscription is updated, not after the callback complete. Having it here, I guess it would allow for a race if there is a call in the app thread to consumer.close, while a reconciliation is running this code. If the call to consumer.close happens after callbacks complete on ln 1167 above, but before making it to this line, the app thread could potentially close revoking partitions without including the ones just added here right?

So we could just call this notify right after updateSubscriptionAwaitingCallback (which is the one that does the actual update of the subscription state). From that moment on the partitions are effectively assigned even though the onPartitionsAssigned may have not completed.

[kirktrue]

Moved notifyAssignmentChange() to right after subscriptions.assignFromSubscribedAwaitingCallback() in updateSubscriptionAwaitingCallback().

[lianetm]

do we need to interrupt if we're already mocking the interrupt exception above? ln 698

[kirktrue]

Good call. Removed.

[lianetm]

this func if about manual assignment so I would expect we don't need to set the group assignment snapshot right?

[kirktrue]

You're right. That's a holdover from when I was updating the snapshot for manually-assigned partitions too.

[lianetm]

should we add a very similar test for close(0)?

[kirktrue]

I worked up the test, but I ran it 10 times and it failed twice. The 'leave group on 0 timeout' is a best effort, so the timing may not work out that we can send off the request before the ConsumerNetworkThread shuts down.

[lianetm]

ack, makes sense. It's still important to ensure we run callbacks on close(0) but that is covered on testCloseLeavesGroupDespiteOnPartitionsLostError, all good.

[lianetm]

Thanks for the updates @kirktrue !

Could you please update the PR description to remove all the old callback flow that is not applied on close anymore? Important to call out that this is ensuring callbacks executed + attempt to send the leave request, regardless of timeout/interrupt.

[lianetm]

we are notifying on the path of new assignment and on leave, but I think we're missing the fenced/fatal paths.

Those 2 end up calling clearAssignment, so maybe we could notify there to cover them? (right after ln 483 subscriptions.assignFromSubscribed(Collections.emptySet()))?

[kirktrue]

I changed the code to look like this:

    private void clearAssignment() {
        if (subscriptions.hasAutoAssignedPartitions()) {
            subscriptions.assignFromSubscribed(Collections.emptySet());
            notifyAssignmentChange(Collections.emptySet());
        }
        currentAssignment = LocalAssignment.NONE;
        clearPendingAssignmentsAndLocalNamesCache();
    }

[lianetm]

I wonder if we're making it sound more complicated than it is, by saying "except where it would violate the previous tenets" and given that there are 12 tenets above :). Close always honours timeout except for callbacks only right? (already mentioned in point 4). If we simplify as mentioned above, adding to 4 the fact that callbacks are not time-bounded, I would say we don't need to have this one maybe?

[kirktrue]

Fair enough. Removed.

[lianetm]

true but this is not specific to the close in any way right? (It's the same for all api calls that issue requests). Would it be better/simpler to focus on the tenets of the close itself?

[kirktrue]

I agree, but there was some discussion earlier in this thread which suggested clarification around which thread does what part of the overall task. I removed it, per your suggestion.

[lianetm]

I find this is closely related to the one above (said in a way there already). Callbacks block for the full execution, not time-bounded, that's it. Could we simplify by merging them? (just adding the "not time bounded" bit above). Trying to simplify, this doc got a bit too complicated I would say.

[kirktrue]

I consolidated these points. LMK if it still needs work.

[lianetm]

Suggested change

	* This is expected to be invoked when the user calls the unsubscribe API.
	* This is expected to be invoked when the user calls the unsubscribe API or is closing the consumer.

[kirktrue]

I made the change as suggested.

[lianetm]

Thanks @kirktrue, just these minor comments, almost there.

[lianetm]

this is not needed here anymore right? (because clearAssignment will do)

[kirktrue]

Correct. I removed the extra call since clearAssignment() handles it where appropriate anyway.

[lianetm]

nit: extra line

[kirktrue]

Removed.

[lianetm]

ack, makes sense. It's still important to ensure we run callbacks on close(0) but that is covered on testCloseLeavesGroupDespiteOnPartitionsLostError, all good.

[lianetm]

Thanks a lot @kirktrue! LGTM

[kirktrue]

Thank you ♾️ @lianetm and @chia7712!!!! Thanks also to everyone else who helped define and frame the problem.