Status
Current state: Under Discussion
Discussion thread: here
JIRA: KAFKA-2511
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Motivation
This KIP is try to address the following issue in Kafka.
- Log retention might not be honored: Log retention is currently at the log segment level, and is driven off the last modification time of a log segment. This approach does not quite work when a replica reassignment happens because the newly created log segment will effectively have its modification time reset to now.
- Log rolling might break for a newly created replica as well because of the same reason as (1).
Besides that, the KIP will also facilitate some use cases such as streaming processing where a timestamp is needed.
This KIP is a distilled/improved version of an earlier discussion that we started.
This KIP is preferably to be implemented with KIP-31 if possible to avoid changing wire protocol twice.
Public Interfaces
There are a few options to achieve the goals. Each has their own pros and cons. Please see the details below.
Proposed Changes
There are three options proposed before Option 4 is proposed. The details of option 1, option 2 and Option 3 are in the Rejected Options section.
Option 4 - Add a Time field the message format with maximum allowed time difference configuration on broker.
After extended discussion over option 1, option 2 and option 3. It turns out to be very difficult to meet all the following requirements at the same time:
- Have only one timestamp concept in Kafka.
- Enforce the time based log retention / log rolling for different use cases. (Some use case needs to based on LogAppendTime while others prefer CreateTime)
- Protect the broker from misbehave users (e.g. appending wrong create time to messages)
Option 4 adds a configuration to the broker to allow users to decide which timestamp the want to use according to their use case.
- Allow user to stamp the message when produce
- When broker receives a message it take a look at the difference between its local time and the timestamp in the message.
- If the time difference is within a configurable threshold max.message.time.difference.ms, the server will accept it and append it to the log.
- If the time difference is beyond the configured threshold max.message.time.difference.ms, the server will override the timestamp with its current local time and append the message to the log.
- max.message.time.difference.ms will be a per topic configuration.
- The indexed will be built so it has the following guarantees.
- If user search by timestamp:
- all the messages after that timestamp will be consumed.
- user might see earlier messages.
- The log retention will take a look at the last time index entry in the time index file. Because the last entry will be the latest timestamp in the entire log segment. If that entry expires, the log segment will be deleted.
- The log rolling has to depend on the earliest timestamp. In this case we may need to keep a in memory timestamp only for the current active log. On recover, we will need to read the active log segment to get this timestamp of the earliest messages.
- If user search by timestamp:
- The downside of this proposal are:
- The timestamp might not be monotonically increasing.
- The log retention might become non-deterministic. i.e. When a message will be deleted now depends on the timestamp of the other messages in the same log segment. And those timestamps are provided by user within a range depending on what the time difference threshold configuration is.
- The semantic meaning of the timestamp is vague because some of the timestamp might have been overwritten and some might not.
- Although the proposal has some downsides, it gives user the flexibility to use the timestamp.
- If the time difference threshold is set to Long.MaxValue. The timestamp in the message is equivalent to CreateTime.
- If the time difference threshold is set to 0. The timestamp in the message is equivalent to LogAppendTime.
- If the time difference threshold is between 0 and Long.MaxValue, it ensures the messages will always have a timestamp within a certain range.
The following changes are needed to implement the above proposal.
Wire protocol change - add a Time field to the message format
MessageAndOffset => MessageSize Offset Message MessageSize => int32 Offset => int64 Message => Crc MagicByte Attributes Timestamp KeyLength Key ValueLength Value Crc => int32 MagicByte => int8 Attributes => int8 Time => int64 <---------------------- NEW KeyLength => int32 Key => bytes ValueLength => int32 Value => bytes
Add a time field to both ProducerRecord and ConsumerRecord
- If user specify the timestamp for a ProducerRecord, the ProducerRecord will be sent with this timestamp.
- If user does not specify the timestamp for a ProducerRecord, the producer stamp the ProducerRecord with current time.
- ConsumerRecord will have the timestamp of the message that were stored on broker.
Broker configuration change - add a max.message.time.difference.ms configuration to the broker
This configuration default value will be set to Long.MaxValue. i.e. by default the server will not override any user timestamp.
Build Time Index for messages based on message timestamp
Please see the details in KIP-33.
Change time based log retention and log rolling to base on the time index
Please see the details in KIP-33.
Compatibility, Deprecation, and Migration Plan
NOTE: This part is drafted based on the assumption that KIP-31 and KIP-32 will be implemented in one patch.
The proposed protocol is not backward compatible. The migration plan are as below:
Phase 1 (MessageAndOffset V0 on disk):
- Set message.format.version=0 on brokers. (Broker will write MessageAndOffset V0 to disk)
- Create internal ApiVersion 0.9.0-1** which uses ProducerRequest V2 and FetchRequest V2.
- Configure the broker to use ApiVersion 0.9.0 (ProduceRequest V1 and FetchRequest V1).
- Do a rolling upgrade of the brokers to let the broker pick up the new code supporting ApiVersion 0.9.0-1.
- Bump up ApiVersion of broker to 0.9.0-1 to let the broker use FetchRequest V2 for replication.
- Upgraded brokers support both ProducerRequest V2 and FetchRequest V2 which uses magic byte 1 for MessageAndOffset.
- When broker sees a producer request V1 (MessageAndOffset = V0), it will decompress the message, assign offsets using absolute offsets and re-compress the message.
- When broker sees a producer request V2 (MessageAndOffset = V1), it will decompress the message, assign offsets using absolute offsets, ignore the time field and do re-compression. i.e. down-convert the message format to MessageAndOffset V0.
- When broker sees a fetch request V1 (Supporting MessageAndOffset = V0), because the data format on disk is MessageAndOffset V0, it will use the zero-copy transfer to reply with fetch response V1 with MessageAndOffset V0.
- When broker sees a fetch request V2 (Supporting MessageAndOffset = V0, V1), because the data format on disk is MessageAndOffset V0, it will use zero-copy transfer to reply with fetch response V2 with MessageAndOffset V0.
- When broker sees a producer request V1 (MessageAndOffset = V0), it will decompress the message, assign offsets using absolute offsets and re-compress the message.
- Upgrade consumer to send FetchRequest V2.
- Upgrade producer to send ProducerRequest V2.
Phase 2 (MessageAndOffset V1 on disk):
- After most of the consumers are upgraded, Bump up message.format.version=1 and rolling bounce the brokers.
- Upgraded brokers do the followings:
- When broker sees a producer request V1 (MessageAndOffset = V0), it will decompress the message, assign offsets using relative offsets, fill in the time field with current server time and re-compress the message. i.e. up-convert the message format to MessageAndOffset V1.
- When broker sees a producer request V2 (MessageAndOffset = V1), it will decompress the message, assign offsets using relative offsets, check and maybe overwrite the time field, and NOT do re-compression.
- When broker sees a fetch request V1 (Supporting MessageAndOffset = V0), because the data format on disk is MessageAndOffset V1, it will NOT use the zero-copy transfer. Instead the broker will read the message from disk, down-convert them to V0 and reply using fetch response V1 with MessageAndOffset V0.
- When broker sees a fetch request V2 (Supporting MessageAndOffset = V0, V1), because the data format on disk is MessageAndOffset V1, it will use zero-copy transfer to reply with fetch response V2 with MessageAndOffset V1.
- When broker sees a producer request V1 (MessageAndOffset = V0), it will decompress the message, assign offsets using relative offsets, fill in the time field with current server time and re-compress the message. i.e. up-convert the message format to MessageAndOffset V1.
For producer, there will be no impact.
In phase 1, there will be no impact for consumers.
In phase 2, there will be some performance penalty for consumers that only supports MessageAndOffset V0, because there is no zero-copy transfer.
At the beginning of phase 2, there will be some time the log segment contains both MessageAndOffset V0 and V1. The broker will always do down conversion for FetchRequest V1 and zero-copy transfer for FetchRequest V2.
** We introduce internal ApiVersion here to help the user who are running on trunk to upgrade in the future. Otherwise the interim ApiVersion between two official releases will require users to downgrade ApiVersion then upgrade.
To canary a broker
After phase 1, it is possible for user to canary a broker in phase 2 and roll back if something goes wrong. The procedure is:
- Set message.format.version=1 on one of the brokers (broker B).
- Broker B will start to act like what described in phase 2.
- It will sends FetchRequest V2 to other brokers for replication.
- It will only see ProduceRequest/FetchRequest V1 from other brokers and clietns.
- If something goes wrong, we can do the following to rollback:
- shutdown broker B
- nuke the data of the topics it was serving as leader before shutdown
- set message.format.version=0
- restart the broker to let the broker replicate from leaders. At this point the data on disk will be in MessageAndOffset V0.
- shutdown broker B
In step 2, it is recommended to put only small amount of leaders on the broker, because at that point the broker needs to do down conversion for all the fetch requests.
Option discussions with use cases
For documentation purpose, here are some discussions we had on this KIP.
This section discusses how the three options work with a few use cases. Option 1 and Option 2 are in the rejected option section.
Options comparison
Use cases | Option 1 (Message contains CreateTime + LogAppendTime) | option 2 (Message contains LogAppendTime only) | option 3 (message contains CreateTime only, brokers keep LogAppendTime in log index) | option 4 (Message contains a timestamp that could be overridden by broker depending on configured time difference threshold) | Comparison |
---|---|---|---|---|---|
Mirror Maker | Broker overrides the LAT and keep the CT as is. | Broker overrides the LAT | Broker keep the CT as. And add index entry with LAT to the log index file. | Mirror maker will keep the consumed messages' timestamp. Those timestamp may or may not be overwritten by target cluster depending on the configuration. | Option 1 provides the most information to user. The only concern is whether we should expose LAT to user. Option 2 loses the CreateTime information. Option 3 have same amount information as option 1 from broker point of view. From user point of view, it does not expose the LAT. Option 4 could be equivalent to either having CreateTime only or having LogAppendTime only depending on configuration. |
Log Retention | Broker will use the LAT of the last message in a segment to enforce the policy. | Same as option 1. | Broker will use the LAT of the last entry in the log index file to enforce the retention policy. Because the leader is the source of truth for LAT, followers need to get the LAT from leader when they replicate the messages. That means we need to introduce a new wire protocol to fetch the time based log index file as well. When log recovery happens, the rebuilt time index would have different LAT from the actual arrival time of the messages in the log. And the LAT in the index file will be very close, or even the same. | The broker will take a look at the last Time Index entry of the segment to decide whether to delete the log segment or not. | Option 1 and option 2 can work with existing replication design and solve the log retention issue we have now. Option 3 solves the issue but is a bit involved because it needs to replicate the time index entry as well. Option 4 could be equivalent to either having CreateTime only or having LogAppendTime only depending on configuration. |
Log rolling | Broker will use the LAT of the first message in a log segment to enforce the policy. | Same as option 1. | Broker will use the LAT of the first entry in the log index file to enforce the retention policy. Similar to the log retention case, the followers needs to replicate the time index as well. The log recovery happens, the log rolling might not be honored either. | The broker will keep an in memory earliest message timestamp in the active log segment. On broker startup, the broker will need to scan the messages in the active segment to find the earliest timestamp. | Option 1 and option 2 solves the log rolling issue. Option 3 solves the issue but is a bit involved because it needs to replicate the time index entry as well. On broker start up, Option 4 needs to scan the active log segment to find the earliest timestamp in the log segment. |
Stream processing | Applications don't need to include the CreateTime in the payload but simply use the CreateTime field. | Applications have to put CreateTime into the payload. | Applications don't need to include the CreateTime in the payload but simply use the CreateTime field. | Option 4 could be equivalent to either having CreateTime only or having LogAppendTime only depending on configuration. | The benefit of having a CreateTime with each message rather than put it into payload is that application protocol can be simplified. It is convenient for the infrastructure to provide the timestamp so there is no need for each application to worry about the timestamp. |
Latency measurement | User can get End2End latency and lag in time. | User can get the lag in time. | User can get End2End latency. | Depending on the max.message.time.difference.ms configuration. User may or may not be able to find out the latency. | Option 1 has most information for user. |
Search message by timestamp. | Detail discussion in KIP-33 | Detail discussion in KIP-33 | Detail discussion in KIP-33 | Detail discussion in KIP-33 | Detail discussion in KIP-33 |
Mirror maker case in detail
The behavior of broker for all the options are the same: The broker will always override the LogAppendTime(if exists) when message arrives the broker and keep the CreateTime(if exists) untouched.
The broker does not distinguish mirror maker from other producers. The following example explains what will the timestamp look like when there is mirror maker in the picture.(CT - CreateTime, LAT - LogAppendTime)
- Application producer produces message at T0. ( [CT = T0, LAT = -1] )
- The broker in cluster1 received message at T1 = T0 + latency1 and appended the message to the log. Latency1 includes linger.ms and some other latency. ( [CT = T0, LAT = T1] )
- Mirror maker copies the message to broker in cluster2. ( [CT = T0, LAT = T1] )
- The broker in cluster2 receives message at T2 = T1 + latency2 and appended the message to the log. ( [CT = T0, LAT = T2] )
The CreateTime of a message in source cluster and target cluster will be same. i.e. the timestamp is passed across clusters.
The LogAppendTime of a message in source cluster and target cluster will be different.
Discussion: should we use CreateTime OR LogAppendTime for log retention and time based log rolling?
To discuss the usage of CreateTime and LogAppendTime, it is useful to summarize the latency pattern of the messages flowing through the pipeline. The latency can be summarized to the following pattern:
- the messages flow through the pipeline with small latency.
- the messages flow through the pipeline with similar large latency.
- the messages flow through the pipeline with large latency difference.
Also it would be useful to think about the impact of a completely wrong timestamp set by client. i.e. the robustness of the system.
Log Retention
There are both pros and cons for log retention to be based on CreateTime or LogAppendTime.
- Pattern 1:
Because the latency is small, so CreateTime and LogAppendTime will be close and their won't be much difference. - pattern 2:
If the log retention is based on the message creation time, it will not be affected by the latency in the data pipeline because the send time will not change.
If the log retention is based on the LogAppendTime, it will be affected by the latency in the pipeline. Because of the latency difference, some data can be deleted on one cluster, but not on another cluster in the pipeline. - Pattern 3:
When the messages with significantly different timestamp goes into a cluster at around same time, the retention policy is hard to follow if we use CreateTime. For example, imagine two mirror makers copy data from two source clusters to the same target cluster. If MirrorMaker1 is copying Messages with CreateTime around 1:00 PM today, and MirrorMaker2 is copying messages with CreateTime around 1:00 PM yesterday. Those messages can go to the same log segment in the target cluster. It will be difficult for broker to apply retention policy to the log segment. The broker needs to maintain the knowledge about the latest CreateTime of all messages in a log segment and persist the information somewhere. - Robustness:
If there is a message with CreateTime set to the future, the log might be kept for very long. Broker needs to sanity check the timestamp when receive the message. It could by tricky to determine which timestamp is not valid
Comparison:
pattern 1 | pattern 2 | pattern 3 | Robustness | |
---|---|---|---|---|
Preference | CT or LAT | CT | LAT | LAT |
In reality, we usually don't see all the pipeline has same large latency, so it looks LogAppendTime is preferable than CreateTime for log retention.
Time based log rolling
The main purpose of time based log rolling is to avoid the situation where a low volume topic always has only one segment which is also the active segment. From its nature, server side log rolling makes more sense.
- Pattern 1:
Because the latency is small, so CreateTime and LogAppendTime will be close and their won't be much difference. - Pattern 2:
When the latency is large, it is possible that when a new message is produced to a broker, the CreateTime has already reached the rolling criteria. This might cause a segment with only one message. - Pattern 3:
Similar to pattern 2, a lagged message might result in a single message log segment. - Robustness:
Similar to as pattern 2 and pattern 3. Also a CreateTime in the future might break the log rolling as well.
pattern 1 | pattern 2 | pattern 3 | Robustness | |
---|---|---|---|---|
Preference | CT or LAT | LAT | LAT | LAT |
Rejected Alternatives
Option 1 - Add both CreateTime and LogAppendTime to message format
Wire protocol change
MessageAndOffset => MessageSize Offset Message MessageSize => int32 Offset => int64 Message => Crc MagicByte Attributes Timestamp KeyLength Key ValueLength Value Crc => int32 MagicByte => int8 Attributes => int8 CreateTime => int64 <---------------------- NEW LogAppendTime => int64 <---------------------- NEW KeyLength => int32 Key => bytes ValueLength => int32 Value => bytes
Add CreateTime and LogAppendTime field to message
CreateTime
- CreateTime will be set by the producer and will not be changed afterward.
- CreateTime accuracy is millisecond.
- For compressed message, the CreateTime of the wrapper message will be the CreateTime of the first compressed message.
- LogAppendTime
- The LogAppendTime will be assigned by broker upon receiving the message. If the message is coming from mirror maker, the original CreateTime will be maintained but the LogAppendTime will be changed by the target broker.
- The LogAppendTime will be used to build the log index.
- The LogAppendTime accuracy is millisecond
- The LogAppendTime of the outer message of compressed messages will be the latest LogAppendTime of all its inner messages.
- If the compressed message is not compacted, the relative offsets of inner messages will be contiguous and share the same LogAppendTime.
- If the compressed message is compacted, the relative offsets of inner messages may not be contiguous. Its LogAppendTime will be the LogAppendTime of the last inner message.
- The followers will not reassign LogAppendTime but simply update an in memory lastAppendedLogAppendTime and append the message to the log.
- To handle leader migration where new leader has slower clock than old leader, all the leader should append max(lastAppendedTimestamp, currentTimeMillis) as the timestamp
A corner case for LogAppendTime(LAT) - Leader migration:
Suppose we have broker0 and broker1. Broker0 is the current leader of a partition and broker1 is a follower. Consider the following scenario:
- message m0 is produced to broker 0 at time T0 (LAT = T0, T0 is the clock on broker 0).
- broker1 as a follower replicated m0 and appended to its own log without changing the LogAppendTime of m0.
- broker0 went down and broker 1 become the new leader.
- message m1 is produced to broker 1 at time T1 (LAT = T1, T1 is the clock on broker 1).
In step 4, it is possible that T1 < T0 because of the time difference on two brokers. If we naively take T1 as the timestamp of m1, then the timestamp will be out of order. i.e. a message with earlier timestamp will show later in the log. To avoid this problem, at step 4, broker 1 can take max(T1, T0) as the timestamp for m1. So the timestamp in the log will not go backward. Broker 1 will be using T0 as timestamp until its own clock advances after T0.
To be more general, when a message is appended, broker (whether leader or follower) should remember the timestamp of the last appended message, if a later appended message has a timestamp earlier than the timestamp of last appended message, the timestamp of last appended message will be used.
Change time based log rolling and retention to use LogAppendTime
Time based log rolling and retention currently use the file creation time and last modified time. This does not work for newly created replicas because the time attributes of files is different from the true message append time. The following changes will address this issue.
- The time based log rolling will be based on the timestamp of the first message in the log segment file.
- The time based log retention will be based on the timestamp of the last message in the log segment file.
ConsumerRecord / ProducerRecord format change
- Add a CreateTime field to ProducerRecord. This field can be used by application to set the send time. It will also allow mirror maker to maintain the send time easily.
- Add both CreateTime and LogAppendTime to ConsumerRecord.
- The CreateTime is useful in use cases such as stream processing
- The LogAppendTime is useful in use cases such as log rolling and log retention.
This proposed option was rejected because:
- It introduces 16 bytes overhead to the message.
- It exposes LogAppendTime to users.
Option 2 - Adding only LogAppendTime to the message
This proposal is pretty much the same as the selected proposal, except it does not include CreateTime in the message format.
MessageAndOffset => MessageSize Offset Message MessageSize => int32 Offset => int64 Message => Crc MagicByte Attributes Timestamp KeyLength Key ValueLength Value Crc => int32 MagicByte => int8 Attributes => int8 LogAppendTime => int64 <---------------------- NEW KeyLength => int32 Key => bytes ValueLength => int32 Value => bytes
The downside of this proposal are:
- If the CreateTime is not in the message itself. Application needs to include the timestamp in payload. Instead of asking each application to do this, it is better to include the timestamp in the message.
- The broker is not able to report the latency metric. While we could let the application to get the End2End latency, we might lose the latency for each hop in the pipeline.
Option 3 - Add CreateTime to the message and use LogAppendTime on brokers
Add CreateTime field to message
CreateTime
- CreateTime will be set by the producer and will not be changed afterward.
- CreateTime accuracy is millisecond.
- For compressed message, the CreateTime of the wrapper message will be the CreateTime of the last compressed message (this is to be consistent with base offset in KIP-31)
Use LogAppendTime for time based usages on the broker
- Build time index.
- Honor log rolling time
- Honor log retention time
Compared with Option 1, while the time based log index has to be based on LogAppendTime, there is some concern about exposing the LogAppendTime (which is a broker internal concept) to user. And there will also be some per message overhead for two timestamps.
So this approach includes only CreateTime in the message format.
Wire protocol change
Change the MessageAndOffset format to:
MessageAndOffset => MessageSize Offset Message MessageSize => int32 Offset => int64 Message => Crc MagicByte Attributes Timestamp KeyLength Key ValueLength Value Crc => int32 MagicByte => int8 Attributes => int8 CreateTime => int64 <---------------------- NEW KeyLength => int32 Key => bytes ValueLength => int32 Value => bytes
Build time based log index using LogAppendTime
The broker will still build time based index using LogAppendTime, LogAppendTime will be only in the time index file, but not in message format. i.e. not exposed to user.
When the broker will append a time index file entry for a message when:
- The message is the first message of a log segment.
- The message is the last message of a log segment.
- The message is the first message received in the minute.
Let replicas to also fetch log index file
Because LogAppendTime is not included in the message format. With current replication design, followers will not be able to get the LogAppendTime from leader. In order to make log retention and log rolling policy work, the LogAppendTime needs to be propagated from leader to followers.
In this option, the LogAppendTime only exist in the time index file, therefore when followers fetch data from the leader, they have to replicate the time index file as well.
There are a few requirements here:
- Unlike log index file, the time index file should not be rebuilt from local log when it crashes, but should always be fetched from the current leader, just the same as actual data. Otherwise we may have different time index on different replicas.
- To ensure the log segments are identical on both leader and followers, we should always have a time index entry for the first message in a log segment.
- In order to make the time based log retention work, we need the timestamp entry for the last message in a log segment.
- When we truncate the messages in log segment files, we need to truncate entries in the time index files as well.
To replicate the log index entry as well, we can add the log index entry to FetchResponse, so the fetch response will become
FetchResponse => [TopicName [Partition ErrorCode HighwaterMarkOffset MessageSetSize MessageSet [TimeIndexEntry]]] TopicName => string Partition => int32 ErrorCode => int16 HighwaterMarkOffset => int64 MessageSetSize => int32 TimeIndexEntry => LogAppendTime Offset <------------- new, the time index entry in the message set, one partition might contain multiple entries. The array will always be empty if the fetch request is not from followers. LogAppendTime => int64 Offset => int32
ConsumerRecord / ProducerRecord format change
- Add a CreateTime field to ProducerRecord. This field can be used by application to set the send time. It will also allow mirror maker to maintain the send time easily.
- Add both CreateTime to ConsumerRecord.
- The CreateTime is useful in use cases such as stream processing