[FLINK-7784] [kafka-producer] Don't fail TwoPhaseCommitSinkFunction when failing to commit during job recovery

[GJL]

What is the purpose of the change

This makes it possible to configure the TwoPhaseCommitSinkFunction's behaviour w.r.t. transaction timeouts.

Brief change log

• Introduce transaction timeouts to TwoPhaseCommitSinkFunction.
• Timeout can be used to generate warnings if the transaction's age approaches the timeout.
• If an exception is thrown during job recovery, the sink can be configured not to propagate the exception and instead log it on ERROR level.

Verifying this change

This change added tests and can be verified as follows:

• Extended unit tests for TwoPhaseCommitSinkFunction to test added functionality
• Manually verified the change by running a job with a FlinkKafka011Producer with checkpoint interval 27000 and transaction.timeout.ms = 30000. Warnings were generated correctly.

Does this pull request potentially affect one of the following parts:

• Dependencies (does it add or upgrade a dependency): (yes / no)
• The public API, i.e., is any changed class annotated with @Public(Evolving): (yes / no)
• The serializers: (yes / no / don't know)
• The runtime per-record code paths (performance sensitive): (yes / no / don't know)
• Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Yarn/Mesos, ZooKeeper: (yes / no / don't know)

Documentation

• Does this pull request introduce a new feature? (yes / no)
• If yes, how is the feature documented? (not applicable / docs / JavaDocs / not documented)

[GJL]

@aljoscha @pnowojski

[aljoscha]

The changes look very good! @pnowojski could you please also have a look at this?

[pnowojski]

One remark for the future. Please try to not mix refactors with real code changes. It is more difficult to review things - for example it is unclear at the first glance whether anything has changed in testFailBeforeNotify .

[pnowojski]

nit: Don't we have somewhere implemented similar/same parsing/reading numeric logic?

[GJL]

Couldn't find any. I thought about using the parsing logic from Kafka but it is package private.

[pnowojski]

nit: Please move this method to the top, somewhere around setLogFailuresOnly

[GJL]

Thanks. Moved it.

[pnowojski]

rename to propagateTransactionTimeouts or ignoreTransactionTimeouts?

[GJL]

Will rename to failurePropagationAfterTransactionTimeoutDisabled as this name is closer to the method name that controls this field.

[pnowojski]

Part of my concern was that the name is quite long (same applies for the methods). Maybe ignoreFailuresAfterTimeout? Or ignoreFailuresAfterTransactionTimeout?

[GJL]

Ok, I like ignoreFailuresAfterTransactionTimeout. The method name is now the same, though.

[pnowojski]

I would prefer to implement this sanity check in FlinkKafkaProducer011, since it's a walk around Kafka's bug and unlikely to be useful in general case. And after Kafka 0.11.0.2 or 1.0.0 release we won't need this code anymore.

[GJL]

If exceeding the transactionTimeout can result in data loss, I prefer the feature here (i.e., TwoPhaseCommitSinkFunction). You may want to be warned before something bad happens so that parameters can be tuned.

[pnowojski]

I'm not convinced, since this will make our public api larger and more difficult to maintain. However if @aljoscha is ok with that I will yield ;)

[aljoscha]

I tend to agree with @pnowojski about the API surface but I think in this case this is a valid safety net for possible future transaction sinks.

[pnowojski]

this 0 in method's name doesn't help in anything. Maybe rename it to either beginTransactionHolder, beginTransactionWrapper, beginTransactionInternal, beginTransactionAndStartTimeoutTimer or beginTransactionAndMarkTime?

[GJL]

Will rename.

[pnowojski]

ditto: overloading adds confusion, because it suggests that both methods (recoverAndCommit(TXN) and recoverAndCommit(TransactionHolder)) are equally valid and could be used interchangeably.

As above, maybe rename to recoverAndCommitHolder, recoverAndCommitWrapper, recoverAndCommitInternal, recoverCommitAndHandleTimeout?

[GJL]

Will rename.

[pnowojski]

Maybe add explicit warning about a data loss? "Error while committing transaction {}. Data loss might occurred"

[GJL]

Good. Will add a statement to the log message.

[pnowojski]

nit: TransactionWrapper? - if you prefer Holder it can be as it is

[GJL]

I will leave it as is. It's an internal class and it is clear what it does.

[pnowojski]

Why did you remove this encapsulation?

[GJL]

I am using

	@Rule
	public TemporaryFolder folder = new TemporaryFolder();

to create test folders are files which are cleaned up automatically. Since the rule must be a public field in the test, it would have required more work to keep the TestContext (e.g., new constructor arguments would be needed to pass the files).

FileBasedSinkFunction is also not static anymore so that it can access the fields of the test directly. I wanted to avoid creating more constructor arguments. Let me know if this is problematic.

[pnowojski]

Will all of those mockLogger tests fail, if you replace:

			log.warn("Transaction {} has been open for {} ms. " +
					"This is close to or even exceeding the transaction timeout of {} ms.",
				transactionHolder.handle,
				elapsedTime,
				transactionTimeout);

with

			log.warn("Transaction {} has been open for too long. " +
					"This is close to or even exceeding the transaction timeout of {} ms.",
				transactionHolder.handle,
				transactionTimeout);

or

			log.warn(String.format("Transaction {} has been open for {} ms. " +
					"This is close to or even exceeding the transaction timeout of {} ms.",
				transactionHolder.handle,
				elapsedTime,
				transactionTimeout));

?
If so, then this is a perfect example my I consider mockito to be the definition of evil. Using mockito in tests in 99% cases is duplicating/copying productional code into tests, basically repeating the implementation, which is super fragile and brakes on even the tiniest refactors. While good tests instead should check/assert the actual effects - not whether specific method calls were called and how many times they were called.

[GJL]

The test is asserting on the presence of the substring This is close to or even exceeding the transaction timeout in the log message. All your changes to the code would still pass the test except for the 2nd case because there is an assert on the elapsed time. Mockito is used here so that the argument passed to .warn can be captured. Imo this is not evil as no behaviour is mocked, and actual effects are tested. In my case, logging a message if the transaction is too old is the only effect (see for example testLogTimeoutAlmostReachedWarningDuringCommit).

[pnowojski]

Are you sure? Logger.warn(String, Object...), Logger.warn(String, Object), Logger.warn(String, Object, Object) and Logger.warn(String) are different methods.

This shows, that you are not testing for the effects (warning message being logged somewhere), but you test whether one particular method was called or not.

[GJL]

True, you are right. One would need to implement the org.slf4j.Logger interface to do it right.

• http://projects.lidalia.org.uk/slf4j-test/ provides a org.slf4j.Logger implementation for unit testing but this approach comes with other problems (e.g. classpathDependencyExcludes are not picked up by IntelliJ Mahoney/slf4j-test#15, NOP if log level is disabled

Right now I don't see a way to do it properly. Any help is welcome.

[GJL]

The test does not rely on any mocks anymore. I am not 100% happy with it because we use log4j 1.x which is not maintained anymore and in log4j 2.x, the APIs have changed a lot: http://logging.apache.org/log4j/2.x/manual/customconfig.html#AddingToCurrent

I propose to leave it as is for now.

[pnowojski]

please do not use mockito for classes that are so easy to implement and mock in old fashion way (creating SettableClock seems to be super easy).

[GJL]

I agree with you that overusing mocks is an anti-pattern. Changed it to a real implementation. Please have a look. I am not sure if this is better now because after all, the only mocked function on Clock was .millis().

[aljoscha]

Why are these removed? Did they never actually test anything?

[GJL]

The tests that I removed were already in FlinkKafkaProducerTests. Probably some copy paste error.

[pnowojski]

Yes that's right. Those tests are also in FlinkKafkaProducerTest.

[pnowojski]

LGTM

[tzulitai]

LGTM, thanks for the work @GJL. Merging this ..