KAFKA-19112 Unifying LIST-Type Configuration Validation and Default Values

[m1a2st]

We add the three main changes in this PR

• Disallowing null values for most LIST-type configurations makes sense,
  since users cannot explicitly set a configuration to null in a
  properties file. Therefore, only configurations with a default value of
  null should be allowed to accept null.
• Disallowing duplicate values is reasonable, as there are currently no
  known configurations in Kafka that require specifying the same value
  multiple times. Allowing duplicates is both rare in practice and
  potentially confusing to users.
• Disallowing empty list, even though many configurations currently
  accept them. In practice, setting an empty list for several of these
  configurations can lead to server startup failures or unexpected
  behavior. Therefore, enforcing non-empty lists helps prevent
  misconfiguration and improves system robustness.
  These changes may introduce some backward incompatibility, but this
  trade-off is justified by the significant improvements in safety,
  consistency, and overall user experience.

Additionally, we introduce two minor adjustments:

• Reclassify some STRING-type configurations as LIST-type, particularly
  those using comma-separated values to represent multiple entries. This
  change reflects the actual semantics used in Kafka.
• Update the default values for some configurations to better align with
  other configs.
  These changes will not introduce any compatibility issues.

Reviewers: Jun Rao junrao@gmail.com, Chia-Ping Tsai
chia7712@gmail.com

[chia7712]

The screenshot of the upgrade.html page

@m1a2st Could you please highlight the changes of cleanup.policy?

[m1a2st]

[chia7712]

I'm running an e2e for this patch. Will merge it if everything looks good

[chia7712]

network_degrade_test.py and replica_verification_test.py remain unstable. Others pass on my local.

[junrao]

@m1a2st : Thanks for the updated PR. Just a few minor comments.

[junrao]

This is an existing issue. So, the interceptors are called in reverse ordering?

[m1a2st]

Yes, this is an existing issue, I can file a Jira issue to trace it.

Updated: If the ordering is changed so that MockConsumerInterceptor comes first and CloseInterceptor second, then when MockConsumerInterceptor throws an exception, CloseInterceptor will not be initialized. As a result, its close() method will not be executed. The following test will be passed

    @EnumSource(GroupProtocol.class)
    public void testInterceptorConstructorConfigurationWithExceptionShouldCloseRemainingInstances(GroupProtocol groupProtocol) {
        final int targetInterceptor = 1;

        try {
            Properties props = new Properties();
            // skip
            props.setProperty(ConsumerConfig.INTERCEPTOR_CLASSES_CONFIG,
                    MockConsumerInterceptor.class.getName() + "," + CloseInterceptor.class.getName());

            MockConsumerInterceptor.setThrowOnConfigExceptionThreshold(targetInterceptor);

            assertThrows(KafkaException.class, () -> newConsumer(
                    props, new StringDeserializer(), new StringDeserializer()));

            assertEquals(1, MockConsumerInterceptor.CONFIG_COUNT.get());
            assertEquals(1, MockConsumerInterceptor.CLOSE_COUNT.get());

            assertEquals(0, CloseInterceptor.INIT_COUNT.get());
            assertEquals(0, CloseInterceptor.CONFIG_COUNT.get());
            assertEquals(0, CloseInterceptor.CLOSE_COUNT.get());
        } finally {
            MockConsumerInterceptor.resetCounters();
            CloseInterceptor.resetCounters();
        }
    }
    
    public static class CloseInterceptor implements ConsumerInterceptor<String, String> {

        public static final AtomicInteger CLOSE_COUNT = new AtomicInteger(0);
        public static final AtomicInteger INIT_COUNT = new AtomicInteger(0);
        public static final AtomicInteger CONFIG_COUNT = new AtomicInteger(0);

        public CloseInterceptor() {
            INIT_COUNT.incrementAndGet();
        }

       // skip

        @Override
        public void close() {
            CLOSE_COUNT.incrementAndGet();
        }

        @Override
        public void configure(Map<String, ?> configs) {
            CONFIG_COUNT.incrementAndGet();
        }

        public static void resetCounters() {
            CLOSE_COUNT.set(0);
        }
    }

[chia7712]

Excuse me, I may have misunderstood your discussion. In this test case, the MockConsumerInterceptor is created after the CloseInterceptor. As a result, CloseInterceptor.CLOSE_COUNT is updated because the getConfiguredInstances method closes the created objects in the exception handler

[junrao]

The cleanup.policy is empty => If cleanup.policy is empty

Also, could we also add "cleanup.policy supports empty, which means infinite retention."

[chia7712]

There's another issue we missed. the RPC DeleteRecordsRequest is not supported if the delete mode is disabled. If this KIP declares that the empty policy is supported, should we also allow DeleteRecordsRequest to pass on topics with the empty policy.

        if (!leaderLog.config.delete)
          throw new PolicyViolationException(s"Records of partition $topicPartition can not be deleted due to the configured policy")

kafka/core/src/main/scala/kafka/cluster/Partition.scala

Line 1661 in d6688f8

if (!leaderLog.config.delete)

[m1a2st]

Agree, we should allow an empty cleanup.policy when receiving a DeleteRecordsRequest. I will update this change in the follow up PR.

[chia7712]

Please add the changes to #20492

[chia7712]

quoted from KIP-898

This will be equivalent to extracting the plugin.path configuration from the worker properties and specifying --plugin-path .

Perhaps we should add manual check for the tool.

kafka/tools/src/main/java/org/apache/kafka/tools/ConnectPluginPath.java

Line 173 in 7426629

String pluginPath = properties.getProperty(WorkerConfig.PLUGIN_PATH_CONFIG);

[chia7712]

@majialoong Could you please file a minor patch for it?

[majialoong]

@majialoong Could you please file a minor patch for it?

Sure, I'll fix it later.

[chia7712]

Is there a test for anyNonDuplicateValues(false, false);

[m1a2st]

I file a patch for it #20844

[junrao]

@m1a2st and @chia7712 : Left another followup comment.

[junrao]

It seems that configs like HeaderFrom.HEADERS_FIELD still allow duplicates. So, we want to say sth like "Duplicate entries are no longer accepted for most LIST-type configurations, except for those that explicitly stated". We also want to change the description for HeaderFrom.HEADERS_FIELD to explicitly say that duplicates are allowed.

Thinking a bit more about this. Since we typically only introduce breaking changes in major releases, it might be useful to take a more conservative approach by only logging a warning for duplicated entries for now and rejecting them starting in 5.0.

[m1a2st]

Thanks, I also addressed in #20844

[chia7712]

@m1a2st please update the title of #20844

Also, please open a jira for the breaking change mentioned by @junrao

[chia7712]

Thinking a bit more about this. Since we typically only introduce breaking changes in major releases, it might be useful to take a more conservative approach by only logging a warning for duplicated entries for now and rejecting them starting in 5.0.

perhaps we should print warnings instead of throwing exception in 4.x.

            if (Set.copyOf(values).size() != values.size()) {
                throw new ConfigException("Configuration '" + name + "' values must not be duplicated.");
            }

and then we could change it to exception in 5.x

@junrao @m1a2st WDYT?

[m1a2st]

Thinking a bit more about this. Since we typically only introduce breaking changes in major releases, it might be useful to take a more conservative approach by only logging a warning for duplicated entries for now and rejecting them starting in 5.0.

For HeaderFrom fields, headers
Both configurations should allow duplicate values. we can see the test case for reference.

perhaps we should print warnings instead of throwing exception in 4.x.

If we want to avoid breaking compatibility due to the stricter duplicate-value validation, printing a warning message is a good option.

We could also update the following configurations, which should include duplicate-value warnings as well, since their validators are customized.

TopicCreationConfig#INCLUDE_REGEX_CONFIG
TopicCreationConfig#EXCLUDE_REGEX_CONFIG
DistributedConfig#INTER_WORKER_VERIFICATION_ALGORITHMS_CONFIG
RestServerConfig#LISTENERS_DEFAULT
Cast#SPEC_CONFIG
ReplaceField#RENAMES
QuorumConfig#QUORUM_VOTERS_CONFIG
QuorumConfig#QUORUM_BOOTSTRAP_SERVERS_CONFIG
QuotaConfig#LEADER_REPLICATION_THROTTLED_REPLICAS_CONFIG
QuotaConfig#FOLLOWER_REPLICATION_THROTTLED_REPLICAS_CONFIG

[chia7712]

I'd like to revisit the lower bound change. We face a core conflict: ignoring the dynamical value creates broker inconsistency, while skipping validation renders the boundary useless. In fact, this appears to be a hard limit we encounter when developing configuration.

Could we address this by allowing configuration breaking changes in a major release, but offering a tool to generate a compatibility report? This would enable users to adjust their configuration for the next major release before updating the binary.

[AndrewJSchofield]

This is definitely a possible way forward. If v4.last had a tool to generate a compatibility report, or a way to generate the report during broker start, that would help users migrate to 5.0 without us having to violate the consistency checks for the newly incompatible configs.

[chia7712]

If v4.last had a tool to generate a compatibility report,

I assume the tool will be implemented in 4.3 and will be enhanced with more checks over time. Users will be able to ask it whether their configuration file and exising cluster are compatible with its version

that would help users migrate to 5.0 without us having to violate the consistency checks for the newly incompatible configs.

Users will still violate the incompatible configs if they fail to adjust their existing cluster (or configuration file) before upgrading

The tool could also address KAFKA-19851. The compatibility report should remind users that message.format.version is no longer supported in the new version, prompting them to use the Admin Client to remove the configuration before upgrading to 4.x

[chia7712]

To move 4.2 forward, I filed KAFKA-19879 to discuss compatibility for configuration changes. Also, @m1a2st will fix the breaking changes ( duplicate items ) in the subsequent PR #20844

[junrao]

100%. It's never ok to fail to start a broker due to existing config state.

I think we want to be reasonable about that. Currently, if one has a ZK-only based config, one can't start that broker in 4.0. But we provide warning and a migration path in the release notes. For duplicate config entries, it is not to hard to deal with it in a non-breaking way. But for things that are too hard to maintain compatibility, it's probably better to allow a breaking change, but provide enough warning and a migration path.

[AndrewJSchofield]

There's a blocker defect related to this KIP. https://issues.apache.org/jira/browse/KAFKA-19875

If I create a topic in an earlier release with a duplicated config, and then try to start the broker with AK 4.2, the broker fails to start because the stricter validation is applied. @m1a2st

[chia7712]

If I create a topic in an earlier release with a duplicated config, and then try to start the broker with AK 4.2, the broker fails to start because the stricter validation is applied.

yes - That is exactly what we are discussing in #20334 (comment).