blob: ff9ee70316b8617790c3118a49864604206ab023 [file] [log] [blame]
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
[[installation]]
= Transaction Semantics in Apache Kudu
:author: Kudu Team
:imagesdir: ./images
:icons: font
:toc: left
:toclevels: 3
:doctype: book
:backend: html5
:sectlinks:
:experimental:
include::top.adoc[tags=version]
****
This is a brief introduction to Kudu's transaction and consistency semantics. For an
in-depth technical exposition of most of what is mentioned here, and why it is correct,
see the technical report <<ht>>.
****
Kudu's transactional semantics and architecture are inspired by state-of-the-art
systems such as Spanner <<spanner>> and Calvin <<fdt>>. Kudu builds upon decades of database
research. The core philosophy is to make the lives of developers easier by providing transactions
with simple, strong semantics, without sacrificing performance or the ability to tune to different
requirements.
Kudu currently allows the following operations:
* *Write operations* are sets of rows to be inserted, updated, or deleted in the storage
engine, in a single tablet with multiple replicas. Write operations do not have separate
"read sets" i.e. they do not scan existing data before performing the write. Each write
is only concerned with previous state of the rows that are about to change.
Writes are not "committed" explicitly by the user. Instead, they are committed automatically
by the system, after completion.
* *Write transactions* are groups of write operations across potentially multiple tablets
that are committed atomically upon the user's request. Once each write operation within a
transaction is complete, the user sends an explicit "commit" request to make the contents of the
transaction visible to readers at a single timestamp.
* *Scans* are read operations that can traverse multiple tablets and read information
with different levels of consistency or correctness guarantees. Scans can perform
time-travel reads, i.e. the user is able to set a scan timestamp in the past and
get back results that reflect the state of the storage engine at that point in time.
[NOTE]
.Before We Begin
====
* The term _timestamp_ is mentioned several times to illustrate the
functionality, but _timestamp_ is an internal concept mostly invisible to users,
except when setting timestamp on a `KuduScanner`.
* We generally refer to methods and classes of the {cpp} client. While the Java
client mostly has analogous methods and classes, the exact names of the APIs
may differ.
====
== Single tablet write operations
Kudu employs _Multiversion Concurrency Control (MVCC)_ and the _Raft consensus_
algorithm <<consensus>>. Each write operation in Kudu must go through the
tablet's leader.
. The leader acquires all locks for the rows that it will change.
. The leader assigns the write a timestamp before the write is submitted for
replication. This timestamp will be the write's "tag" in MVCC.
. After a majority of replicas acknowledges the change, the actual rows are changed.
. After the changes are complete, they are made visible to concurrent writes
and reads, atomically.
All replicas of a tablet observe the same order of operations, and if a write
operation is assigned timestamp _n_ and changes row _x_, a second write operation
at timestamp _m > n_ is guaranteed to see the new value of _x_.
This strict ordering of lock acquisition and timestamp assignment is enforced to be
consistent across all replicas of a tablet through consensus. Therefore, write operations
are totally ordered with regard to clock-assigned timestamps, relative to other writes
in the same tablet. In other words, writes have strict-serializable semantics,
though in an admittedly limited context. See this
link:http://www.bailis.org/blog/linearizability-versus-serializability[blog post]
for a little more context regarding what these semantics mean.
While Isolated and Durable in an ACID sense, multi-row write operations, even within a single
tablet, are not fully Atomic unless they are a part of a multi-tablet write transaction. The failure
of a single write in a batch operation does not roll back the operation, but produces per-row
errors.
== Multi-tablet write operations
Regardless of whether they are a part of a transaction, writes from a Kudu client are optionally
buffered in memory until they are flushed and sent the server. When a client's session flushes, the
rows for each tablet are batched together, and sent to the tablet server that hosts the leader
replica of the tablet. Outside of a transaction, each of these batches represents a single,
independent write operation with its own timestamp. However, the client API provides the option to
impose some constraints on the assigned timestamps and on how writes to different tablets are
observed by clients.
Kudu, like Spanner, was designed to be externally consistent <<consistency>>, preserving consistency
when operations span multiple tablets and even multiple data centers. In practice this
means that, if a write operation changes item _x_ at tablet _A_, and a following write
operation changes item _y_ at tablet _B_, you might want to enforce that if
the change to _y_ is observed, the change to _x_ must also be observed. There
are many examples where this can be important. For example, if Kudu is
storing clickstreams for further analysis, and two clicks follow each other but
are stored in different tablets, subsequent clicks should be assigned subsequent
timestamps so that the causal relationship between them is captured.
.`CLIENT_PROPAGATED` Consistency
Kudu's default external consistency mode is called `CLIENT_PROPAGATED`.
See <<ht>> for an extensive explanation on how it works. In brief, this mode causes writes
from _a single client_ to be automatically externally consistent. In the clickstream scenario
above, if the two clicks are submitted by different client instances, the application must
manually propagate timestamps from one client to the other for the causal relationship
to be captured.
Timestamps between clients _a_ and _b_ can be propagated as follows:
Java Client:: Call `AsyncKuduClient#getLastPropagatedTimestamp()` on client _a_,
propagate the timestamp to client _b_, and call
`AsyncKuduClient#setLastPropagatedTimestamp()` on client _b_.
{cpp} Client:: Call `KuduClient::GetLatestObservedTimestamp()` on client _a_,
propagate the timestamp to client _b_, and call
`KuduClient::SetLatestObservedTimestamp()` on client _b_.
.`COMMIT_WAIT` Consistency
Kudu also has an experimental implementation of an external consistency
model used in Google's Spanner , called `COMMIT_WAIT`. `COMMIT_WAIT` works
by tightly synchronizing the clocks on all machines in the cluster. Then, when a
write occurs, timestamps are assigned and the results of the write are not made
visible until enough time has passed so that no other machine in the cluster could
possibly assign a lower timestamp to a following write.
When using this mode, the latency of writes is tightly tied to the accuracy of clocks on
all the cluster hosts, and using this mode with loose clock synchronization causes writes
to take a long time to complete or even time out. See <<known_issues>>.
The `COMMIT_WAIT` consistency mode may be selected as follows:
Java Client:: Call `KuduSession#setExternalConsistencyMode(ExternalConsistencyMode.COMMIT_WAIT)`
{cpp} Client:: Call `KuduSession::SetExternalConsistencyMode(COMMIT_WAIT)`
CAUTION: `COMMIT_WAIT` consistency is considered an experimental feature. It may return
incorrect results, exhibit performance issues, or negatively impact cluster stability.
Use in production environments is discouraged.
== Multi-tablet write transactions
Kudu provides transactionality on top of the write operations, meaning all operations that occur
within a transaction abide by the same consistency behavior described above.
When a client begins a transaction, Kudu automatically assigns the transaction a unique identifier
(called a "transaction ID"). The identifier can be used to create sessions to which write operations
are applied, potentially across multiple clients per transaction. Write operations applied in the
context of a transaction are not visible until a client commits the transaction.
Kudu exposes the following APIs to pass a transaction identifier between potentially multiple
processes:
Java Client:: Call `KuduTransaction#serialize(...)` to get a bytes representation of the transaction
ID, and call `KuduTransaction#deserialize(...)` to get a `KuduTransaction` object.
{cpp} Client:: Call `KuduTransaction::Serialize(...)` to get a bytes representation of the
transaction ID, and call `KuduTransaction::Deserialize(...)` to get a `KuduTransaction` object.
As writes are applied in the context of the transaction, each tablet that participates in the
transaction automatically registers itself as a participant, and is locked for further transactions
until the transaction is complete. Per-row locks are taken as per the normal flow of a write
operation, but per row locks are released upon replicating the write operation, in favor of relying
on the tablet-wide lock.
If multiple transactions lock the same tablet, Kudu uses the wait-die scheme to avoid deadlocks when
locking the participant: if a transaction _b_ attempts to lock a tablet that is already locked by
transaction _a_, if _a_ > _b_ (_a_ is newer than _b_), transaction _b_ continues trying to lock
until it is successful (it "waits"). Otherwise, transaction _b_ is automatically aborted, and it is
up to the application to retry the transaction.
When the client commits a transaction, Kudu orchestrates a two-phase commit that assigns a "commit
timestamp" to all write operations that is higher than each of their individually assigned
timestamps. The mutations of the transaction are all visible to clients as of this commit timestamp.
Additionally, subsequent write operations on all participants are guaranteed to be assigned
timestamps higher than this timestamp. It is up to applications to ensure that all desired write
operations have succeeded (i.e. did not return row errors) before committing.
As long as a transaction is expected to remain active, applications are expected to maintain at
least one reference to the given transaction's handle, each of which can be configured to
automatically heartbeat to the Kudu cluster, indicating liveness of the transacting application. By
default, only the first created transaction handle for a transaction will heartbeat, with the
expectation that it is kept alive for the entire duration of the transaction. If only a single
transaction handle is expected to be kept alive at once across multiple clients, the heartbeating
can be enabled with the following calls when serializing the handle for use in other processes.
Java Client:: Call `KuduTransaction.SerializationOptions#setEnableKeepalive(true)`
{cpp} Client:: Call `KuduTransaction::SerializationOptions::enable_keepalive(true)`
== Read Operations (Scans)
Scans are read operations performed by clients that may span one or more rows across
one or more tablets. When a server receives a scan request, it takes a snapshot of the MVCC
state and then proceeds in one of two ways depending on the read mode selected by
the user. The mode may be selected as follows:
Java Client:: Call `KuduScannerBuilder#readMode(...)`
{cpp} Client:: Call `KuduScanner::SetReadMode()`
The following modes are available in both clients:
`READ_LATEST`:: This is the default read mode. The server takes a snapshot of
the MVCC state and proceeds with the read immediately. Reads in this mode only yield
'Read Committed' isolation.
`READ_AT_SNAPSHOT`:: In this read mode, scans are consistent and repeatable. A
timestamp for the snapshot is selected either by the server, or set
explicitly by the user through `KuduScanner::SetSnapshotMicros()`. Explicitly setting
the timestamp is recommended; see <<recommendations>>. The server waits until this
timestamp is 'safe' (until all write operations that have a lower timestamp have
completed and are visible). This delay, coupled with an external consistency method,
will eventually allow Kudu to have full `strict-serializable` semantics for reads
and writes. This is still a work in progress and some anomalies are still possible
(see <<known_issues>>). Only scans in this mode can be fault-tolerant.
`READ_YOUR_WRITES`:: This read mode relies on the state of a Kudu client to
issue subsequent scan requests. When issuing a scan request in this read mode,
a Kudu client provides the latest timestamp it observed so far. The server
selects a timestamp higher than the timestamp provided by the client, that is
also guaranteed to have all prior write operations committed and applied to
the data. That translates into read-your-writes and read-your-reads behavior
which is useful in scenarios where subsequent scan requests should contain the
data the client has seen so far while reading and writing during its current
session. link:https://issues.apache.org/jira/browse/KUDU-1704[KUDU-1704] could
provide more details and references, if necessary. To summarize, this read mode
- ensures read-your-writes and read-your-reads session guarantees
- minimizes the latency caused by waiting for outstanding write operations
at the server side to complete
- doesn't guarantee linearizability
Selecting between read modes requires balancing the trade-offs and making a choice
that fits your workload. For instance, a reporting application that needs to
scan the entire database might need to perform careful accounting operations, so that
scan may need to be fault-tolerant, but probably doesn't require a to-the-microsecond
up-to-date view of the database. In that case, you might choose `READ_AT_SNAPSHOT`
and select a timestamp that is a few seconds in the past when the scan starts. On
the other hand, a machine learning workload that is not ingesting the whole data
set and is already statistical in nature might not require the scan to be repeatable,
so you might choose `READ_LATEST` instead for better scan performance.
[NOTE]
====
Kudu also provides replica selection API for users to choose at which replica the
scan should be performed:
Java Client:: Call `KuduScannerBuilder#replicaSelection(...)`
{cpp} Client:: Call `KuduScanner::SetSelection(...)`
This API is a means to control locality and, in some cases, latency. The replica
selection API has no effect on the consistency guarantees, which will hold no matter
which replica is selected.
====
[[known_issues]]
== Known Issues and Limitations
There are several gaps and corner cases that prevent Kudu from being fully strictly-serializable
in some situations, at the moment. Below are the details and next, some recommendations.
[[known_issues_scans]]
=== Writes
* Support for `COMMIT_WAIT` is experimental and requires careful tuning of the
time-synchronization protocol, such as NTP (Network Time Protocol). Its use
is discouraged in production environments.
* Multi-tablet transaction support currently only allows a tablet to participate in a single
transaction at a time.
* Multi-tablet transaction support currently only guarantees
link:https://jepsen.io/consistency/models/read-committed["read committed"] semantics.
=== Reads (Scans)
* On a leader change, `READ_AT_SNAPSHOT` scans at a snapshot whose timestamp is beyond the last
write may also yield non-repeatable reads (see
link:https://issues.apache.org/jira/browse/KUDU-1188[KUDU-1188]).
See <<recommendations>> for a workaround.
* Impala scans are currently performed as `READ_LATEST` and have no consistency
guarantees.
* In `AUTO_BACKGROUND_FLUSH` mode, or when using "async" flushing mechanisms, writes applied to a
single client session may become reordered due to the concurrency of flushing the data to the
server. This may be particularly noticeable if a single row is quickly updated with different
values in succession. This phenomenon affects all client API implementations, including
transactional APIs. Workarounds are described in the API documentation for the respective
implementations in the docs for `FlushMode` or `AsyncKuduSession`. See
link:https://issues.apache.org/jira/browse/KUDU-1767[KUDU-1767].
* Dirty reads (i.e. reads within an uncommitted transaction) are not currently supported.
[[recommendations]]
=== Recommendations
* If repeatable snapshot reads are a requirement, use `READ_AT_SNAPSHOT`
with a timestamp that is slightly in the past (between 2-5 seconds, ideally).
This will circumvent the anomaly described in <<known_issues_scans>>. Even when the
anomaly has been addressed, back-dating the timestamp will always make scans
faster, since they are unlikely to block.
* If external consistency is a requirement and you decide to use `COMMIT_WAIT`, the
time-synchronization protocol needs to be tuned carefully. Each operation will wait 2x the maximum
clock error at the time of execution, which is usually in the 100 msec. to 1 sec. range with the
default settings, maybe more. Thus, write operations would take at least 200 msec. to 2 sec. to
complete when using the default settings and may even time out.
** A local server should be used as a time server. We've performed experiments using the default
NTP time source available in a Google Compute Engine data center and were able to obtain
a reasonable tight max error bound, usually varying between 12-17 milliseconds.
** The following parameters should be adjusted in `/etc/ntp.conf` to tighten the maximum error:
- `server my_server.org iburst minpoll 1 maxpoll 8`
- `tinker dispersion 500`
- `tinker allan 0`
IMPORTANT: The above parameters minimize `maximum error` at the expense of `estimated error`,
the latter might be orders of magnitude above it's "normal" value. These parameters also
may place a greater load on the time server, since they make the servers poll much more
frequently.
[bibliography]
== References
- [[[ht,1]]] David Alves, Todd Lipcon and Vijay Garg. Technical Report: HybridTime - Accessible Global Consistency with High Clock Uncertainty. April, 2014. http://users.ece.utexas.edu/~garg/pdslab/david/hybrid-time-tech-report-01.pdf
- [[[spanner,2]]] James C. Corbett, Jeffrey Dean, Michael Epstein, Andrew Fikes, Christopher Frost, J. J. Furman, Sanjay Ghemawat, Andrey Gubarev, Christopher Heiser, Peter Hochschild, Wilson Hsieh, Sebastian Kanthak, Eugene Kogan, Hongyi Li, Alexander Lloyd, Sergey Melnik, David Mwaura, David Nagle, Sean Quinlan, Rajesh Rao, Lindsay Rolig, Yasushi Saito, Michal Szymaniak, Christopher Taylor, Ruth Wang, and Dale Woodford. 2012. Spanner: Google's globally-distributed database. In Proceedings of the 10th USENIX conference on Operating Systems Design and Implementation (OSDI'12). USENIX Association, Berkeley, CA, USA, 251-264.
- [[[fdt,3]]] Alexander Thomson, Thaddeus Diamond, Shu-Chun Weng, Kun Ren, Philip Shao, and Daniel J. Abadi. 2012. Calvin: fast distributed transactions for partitioned database systems. In Proceedings of the 2012 ACM SIGMOD International Conference on Management of Data (SIGMOD '12). ACM, New York, NY, USA, 1-12. DOI=10.1145/2213836.2213838 http://doi.acm.org/10.1145/2213836.2213838
- [[[consensus,4]]] Diego Ongaro and John Ousterhout. 2014. In search of an understandable consensus algorithm. In Proceedings of the 2014 USENIX conference on USENIX Annual Technical Conference (USENIX ATC'14), Garth Gibson and Nickolai Zeldovich (Eds.). USENIX Association, Berkeley, CA, USA, 305-320.
- [[[consistency,5]]] Kwei-Jay Lin, "Consistency issues in real-time database systems," in System Sciences, 1989. Vol.II: Software Track, Proceedings of the Twenty-Second Annual Hawaii International Conference on , vol.2, no., pp.654-661 vol.2, 3-6 Jan 1989 doi: 10.1109/HICSS.1989.48069