HDDS-14509. Allow client to choose the read consistency level

[ivandika3]

What changes were proposed in this pull request?

Currently, if OM follower read is enabled, all OM followers will serve read requests even if the client does not enable the follower read.

For leader-only client, this might be unexpected since they expect the OM follower to throw OMNotLeaderException.

We can support some kind of OM request metadata to indicate to the OM whether the client enables the follower read or not.

The implementation introduces ReadConsistencyHint field in OMRequest which allows client to hint to the OM about what the read consistency the client wants. However, for compatibility reasons, the client ReadConsistencyHint is only supported by OM in a best-effort basis. For example, if the new client sends the hint to old OM that does not support it or OM that disables linearizable read, the OM can choose not to respect the read consistency.

Currently, client can configure the default leader and follower read consistency which applies to corresponding requests. However, the long term idea is to allow client to specify per-request consistency requirements. For example in S3 use cases, client can use custom header (e.g. "x-ozone-read-consistency") to pick the desired consistency.

The idea of client-defined consistency level is inspired by other systems and literature:

• RQLite: https://rqlite.io/docs/api/read-consistency/
• Consul: https://developer.hashicorp.com/consul/api-docs/features/consistency
• "Replicated Data Consistency Explained
  Through Baseball": https://www.microsoft.com/en-us/research/wp-content/uploads/2011/10/ConsistencyAndBaseballReport.pdf

Note: Since this changes require changes in protobuf definition and possibly user-facing read consistency level. Thorough reviews and suggestions are greatly appreciated. (Edit: Currently putting this to Draft first until the proto and API changes are finalized since IMO the API and proto changes are still slightly awkward).

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-14509

How was this patch tested?

IT.

Clean CI run: https://github.com/ivandika3/ozone/actions/runs/22216665699

[szetszwo]

@ivandika3 , thanks for working on this!

This PR also includes some refactoring/renaming and the patch file is ~70KB. Could you separate the refactoring/renaming to another JIRA? It will be easier to review.

[ivandika3]

Thanks @szetszwo for the review. I have removed some of refactoring by reverting rename from leaderFailoverProxy to failoverProxy. Regarding the refactoring for transferLeadershipToAnotherNode to MiniOzoneHAClusterImpl, I did it to remove duplication on this method in the new tests. Let me know if you'd prefer to revert this as well.

[szetszwo]

@ivandika3 , thanks for the update!

I have some high level comments inlined.

[szetszwo]

1. Stale read can be supported by local lease with infinite log lag and time limit. We may remove STALE for simplicity.
2. I think we don't need the inner enum ConsistencyType. Just add a boolean for linearizable.
3. isAllowFollowerRead sounds odd. Let's use nouns for the fields and add the verb to the method.

Below is my suggestion:

public enum ReadConsistency {
  DEFAULT(false, false),
  LOCAL_LEASE(false, true),
  LINEARIZABLE_LEADER_ONLY(true, false),
  LINEARIZABLE_ALLOW_FOLLOWER(true, true);

  private final boolean linearizable;
  private final boolean followerRead;

  ReadConsistency(boolean linearizable, boolean followerRead) {
    this.linearizable = linearizable;
    this.followerRead = followerRead;
  }

  public boolean isLinearizable() {
    return linearizable;
  }

  public boolean allowFollowerRead() {
    return followerRead;
  }

  ...
}

[ivandika3]

Thanks for the review and the suggestion on streamlining the ReadConsistency. I have changed accordingly and change some namings (e.g. removed "Consistency Type" naming).

[szetszwo]

For LOCAL_LEASE_FOLLOWER_READ, the LEADER_AND_NOT_READY case should be treated as the same as the NOT_LEADER case, i.e. just consider it as a follower. (fixed typo "LEADER_AND_READY")

[ivandika3]

Thanks for catching this, updated.

[szetszwo]

Use localLeaseContext.getLagLimit() and hasLeaseTimeMs(). We may use -1 for allowing infinite lag/time.

[ivandika3]

Thanks, used the has... and also updated allowFollowerReadLocalLease to allow infinite lag.

[szetszwo]

@ivandika3 , thanks for the update! Please see the comments inlined.

[szetszwo]

Change them to followerReadConsistencyType and leaderReadConsistencyType to ReadConsistencyHint. So it does not need to build again and again.

      if (!omRequest.hasReadConsistencyHint()) {
        final ReadConsistencyHint defaultReadConsistency = isFollowerReadEligible
            ? followerReadConsistencyType : leaderReadConsistencyType;
        if (defaultReadConsistency != null) {
          omRequest = omRequest.toBuilder()
              .setReadConsistencyHint(defaultReadConsistency)
              .build();
          args[1] = omRequest;
        }
      }

[ivandika3]

Thanks for this optimization, updated.

[szetszwo]

It is a good idea to have this as described in https://protobuf.dev/best-practices/dos-donts/#unspecified-enum. How about calling it UNSPECIFIED?

[ivandika3]

Got it, updated. We might add some kind of suffix or prefix (e.g. UNSPECIFIED_CONSISTENCY) since AFAIK once one one enum uses UNSPECIFIED other enum within the scope cannot use UNSPECIFIED anymore. Please let me know what you think.

[szetszwo]

Use ReadConsistencyHint

[ivandika3]

Thanks, updated.

[szetszwo]

Add static.

[szetszwo]

It should be "infinite log lag time"

[ivandika3]

Thanks for catching this, updated.

[szetszwo]

Combine to the if-condition below:

    if (leaseTimeMsLimit >= 0 && leaderInfo.getLastRpcElapsedTimeMs() > leaseTimeMsLimit) {

[ivandika3]

Thanks, updated.

[ivandika3]

The initial local lease implementation allows negative leaseTimeMsLimit which means that lease will be rejected all the time? It is tested by testAllowFollowerReadLocalLease. IMO, any negative leaseTimeMsLimit should infer infinite log and lag time? In that case, should we change the test to reflect this?

[szetszwo]

Let's make leaseTimeMsLimit >= -1 and use -1 for infinity. We should change the test.

[szetszwo]

Since there are two types of lag, time lag and log lag, the original name leaseLogLimit is better.

BTW, we should change the conf

• ozone.om.follower.read.local.lease.lag.limit

to

• ozone.om.follower.read.local.lease.log.limit

[ivandika3]

Thanks for catching this, updated. The initial change was because of the configuration which lead me to believe it's a typo.

[szetszwo]

Remove this line since LEADER_AND_NOT_READY and NOT_LEADER should be the same.

[ivandika3]

Good catch. LeaderStateImpl#getReadIndex handles isReady and will wait until the leader apply the no-op entry.

[szetszwo]

Use ReadConsistencyHint.

[ivandika3]

Thanks, updated.

[szetszwo]

@ivandika3 , thanks for the update! The change looks good. Just have two minor comments inlined.

[szetszwo]

Just realized that UNSPECIFIED only can be used once. Let's use READ_CONSISTENCY_UNSPECIFIED

[szetszwo]

Add a util method. Use it here and also OzoneManagerProtocolServerSideTranslatorPB.

//OmUtils
  public static boolean specifiedReadConsistency(OMRequest request) {
    return request.hasReadConsistencyHint()
        && request.getReadConsistencyHint().hasReadConsistency()
        && request.getReadConsistencyHint().getReadConsistency() != UNSPECIFIED;
  }

[szetszwo]

@ivandika3 , thanks for the update! Please see the comments inlined.

[szetszwo]

It should be != or > -- when setting it to -1, it should not return false here.

[szetszwo]

Since there are two limits, it may not "return immediately". How about below?

• "Setting this to -1 to allow infinite lag."

[szetszwo]

+1 The change looks good.

[ivandika3]

@szetszwo Thank you for the thorough reviews.