KAFKA-18775: Simplify controller quorum changes through the Admin API

[brandboat]

Add convenience Admin APIs that require only a controller ID and extend
the voter RPCs to support deriving omitted directory IDs and endpoints.

Resolve add-voter details from observer state and registered controller
endpoints, and resolve remove-voter directory IDs from the current voter
set. Preserve explicitly supplied voter information.

Update MetadataQuorumCommand to add controllers by ID and make the
directory ID optional when removing controllers. Add Raft, command, and
integration coverage for the new behavior and validation paths.

Reviewers: Luke Chen showuon@gmail.com, Kevin Wu kwu@confluent.io

[brandboat]

gentle ping @showuon, @chia7712. Could you please take a look when you're available? Thanks in advance!

[showuon]

@kevin-wu24 , fyi.

[showuon]

Thanks for the PR. Left some comments.

[showuon]

Is the error message correct for request without listener?

[showuon]

I would add some more instruction for this. Ex: Please remove one of the node and then try it again.

[showuon]

Since we expect the "error message" should be different in difference cases, could we also verify the it? Same as below.

[showuon]

TBH, I've read this test twice, I still don't know why it will fail. The test name DoesNotReplaceExplicitDirectoryId is also not clear to me. Could we add comments on each test like the testRemoveVoterDerivesDirectoryId test does to make it clear what we're testing in each test?

[brandboat]

Hi Luke, thanks for the thorough review and sorry for bringing the misunderstanding... the goal of this test is to verify the behavior when a user tries to add a voter with an explicit but incorrect directory id.

The test intentionally creates two different ReplicaKeys with the same node id but different directory ids. The leader has only seen and caught up one of them as an observer, but the AddVoter request asks to add the other one. Because catch-up is tracked by the full ReplicaKey rather than just the node id, the requested voter is not considered caught up, so AddVoterHandler returns REQUEST_TIMED_OUT[1][2].

Update:
So this test verifies that the current implementation does not overwrite or derive the directory id when the user provides one explicitly. Instead, it preserves the user-provided ReplicaKey and passes it through to AddVoterHandler. As before, an incorrect explicit directory id means the requested voter cannot be matched to the caught-up observer, and the request times out.

[brandboat]

I'll add more comments in the test, hope it helps

[showuon]

Let's make the variable name clear. Maybe voterIdToBeAddedAndRemoved?

[showuon]

nit: Let's revert unneeded empty spaces.

[showuon]

Let's also assert the voter size is 1 before adding voters here.

[showuon]

Question: Could we addVoter with [node ID, directory ID] or [node ID, endpoint] ? If [node ID, directory ID] or [node ID, endpoint] doesn't match with each other, ex: wrong directory ID/endpoint to the node, what will happen? Could we also add tests for them?

[showuon]

@jsancio , call for review. Thanks.

[kevin-wu24]

Thanks for the feature @brandboat. Left a few comments:

[kevin-wu24]

It would be nice if we did not introduce public methods to KafkaRaftClient that are not part of the RaftClient API. This method seems very implementation-specific. I think the issue is that it is not easy to get controller server state into the raft layer.

Is it possible to have the raft client constructor take a NodeEndpointProvider instead as a parameter?

In ControllerServer, I see:

registrationsPublisher = new ControllerRegistrationsPublisher()

We could initialize the publisher in SharedServer if we are a controller, define the NodeEndpointProvider there for based on whether we are broker or controller, and then pass it to KafkaRaftManager. What do you think?

[kevin-wu24]

This line needs to execute after we set the NodeEndpointProvider if we keep the current approach, not before. When returning from this line, raft network client and io thread have already started doing work.

[kevin-wu24]

We should add a withNodeEndpointProvider method to the RaftClientTestContext.Builder class instead.

[kevin-wu24]

I think you're hitting this code in AddVoterHandler#handleApiVersionsResponse:

if (!leaderState.isReplicaCaughtUp(current.voterKey(), currentTimeMs)) {
            logger.info(
                "Aborting add voter operation for {} at {} since it is lagging behind: {}",
                current.voterKey(),
                current.voterEndpoints(),
                leaderState.getReplicaState(current.voterKey())
            );

We do a fetch via the observer replica key to catch it up before sending the add voter request, but not the requestedVoter replica key.

Ideally, putting the wrong directory id in the ADD_RAFT_VOTER request should not even get to this point. We should return INVALID_REQUEST before even entering AddVoterHandler. We should be returning a similar error to the test below.

Because you're running add-voter from the node that is being added (in both manual + auto join case), the directory id would be correct or ZERO_UUID, but never incorrect.

[kevin-wu24]

I am kind of confused about the purpose of this test. We have an observer replica key that the leader should add to observerStates because we send a fetch from that key in prepareLeaderToReceiveAddVoter. Then we send ADD_RAFT_VOTER with the same observer id but a different directory ID, is that correct?

It still seems to me that even after this KIP, the malformed ADD_RAFT_VOTER with the wrong directory UUID delivered on L474 is not handled by the existing code.

[kevin-wu24]

We can parametrize this test based on the boolean usingBootstrapControllers right?

[kevin-wu24]

How did you set up an observer controller in the integration tests? This is using the KafkaClusterTestKit under the hood right? Mostly curious, since I don't remember that code being able to set up kraft observers that were not brokers.

[kevin-wu24]

Oh I see, we make it standalone, but do not have auto-join on.