THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Two new method will be added to org.apache.kafka.clients.consumer.KafkaConsumer: getThreadAccessKey and setThreadAccessKey.
One class is added: org.apache.kafka.clients.consumer.ThreadAccessKey.
Proposed Changes
In this PR we replace the thread-id check with an access-key that allows a callback to pass on access to the Kafka consumer.
To keep existing programs working without changes, the access key is stored on a thread-local variable and is also put on a stack of access keys stored in the consumer. Developers that work in an async runtime can get the access-key via getThreadAccessKey and then use activate it on the thread-local variable in a thread of their choosing with setThreadAccessKey.
The Inside the consumer maintains we maintain a stack of access keys so that invocations from a callback within a callback are possibleto track which thread is allowed to use the consumer. We need a stack and not a single value because it is possible to have callbacks from callbacks. The top of the stack corresponds to the most recent consumer invocation. An empty stack means that the consumer was is not yet invoked.
| draw.io Diagram | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| draw.io Diagram | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Kafka consumer methods that need to be protected against multi-threaded access start with invoking private method acquire and end with invoking private method release. This KIP does not change that. However, the implementation of acquire and release change.
When acquire is invoked, we first check if access is restricted. It is restricted when the access-key stack is not empty. If it is not empty, the thread-local variable must be equal to the value on the top of the stack. If it is empty, any thread may continue. After this check, we generate a new access-key that can be used inside callbacks. This new access key is pushed on the stack and also stored in the thread-local variable.
When after this, the consumer calls a callback, the callback must be able to invoke the consumer again. This is allowed because the thread-local variable corresponds to the top of the stack. Therefore, code that is not aware of this KIP (all programs in existence till now) will continue to work as before.
The callback may now chose to access the thread-local variable (using getThreadAccessKey), and store the access key on the local-variable of another thread (using setThreadAccessKey), thereby allowing that thread to access the consumer. Because acquire immediately and atomically stores a new access key, it is not possible for multiple threads to use a valid access key concurrently.
When a callback passes on the access-key to another thread, it must wait for that other thread to complete before returning from the callback.
When release is invoked, we first validate that the top of the stack is equal to the thread-local variable. If it is not equal, it means that a callback didn't wait for the other thread to complete. After the check we pop the top value of the access-key stack, and then copy restore the new top of the stack to the thread-local variable, or if the stack is now empty we clear the thread-local variable.
Details
The access keys must be sufficiently random so that they cannot be guessed.
We use object identity to compare access keys. For this purpose the class ThreadAccessKey is introduced. This has the advantages that it is not possible to guess keys and it gives an efficient implementation.
When one of the described checks in acquire or release failWhen a check fails, we throw a ConcurrentModificationException similarly similar to current behavior of the consumer.
Compatibility, Deprecation, and Migration Plan
For existing - users (almost) nothing changes. The , only change is when the program calls the exception message for using the consumer from the wrong thread : the message of the ConcurrentModificationException no longer contains the expected thread idchanges.
There is no need to deprecate anything. No migration is needed.
Test Plan
INPUT NEEDED
As far as the author is aware, there are currently no (integration) tests that test the thread-id check. If there would be, these should continue to pass. In addition, they could be extended to support the additional behavior.
...
Disabling the thread-id check based on configuration would be a very easy change for us. However, without the check it will become very easy to use the consumer wrong, especially from multi-threaded asynchronous runtimes.
...
This is a stronger approach than alternative A, but still a lot weaker than the proposed change. For example, with this alternative, when a callback is running, a completely unrelated thread may use the consumer. Since that thread is unrelated there is no coordination between when the callback ends and the other thread causing the consumer to be running on multiple threads after all. This can lead to very hard to track bugs.