Page MenuHomePhabricator
Create Task
Maniphest T282887

Avoid accepting Kafka messages with whacky timestamps
Open, MediumPublic
Actions

Description

In https://phabricator.wikimedia.org/T250133#6063641 we encountered an error where a bad kafka timestamp caused kafka log rolling to stop indefinitely, which filled up disks.

Having a bad Kafka timestamp (way out of range, e.g. years in the future or past) will also hurt stream processing and Hive partition ingestion.

We could configure Kafka to reject messages with timestamps that are too old or two far in the future with log.message.timestamp.difference.max.ms. Setting this to the value of log.retention.ms seems to make the most sense, but this caused issues with compacted topics as noted here. Kafka had log.retention.ms as the default value for log.message.timestamp.difference.max.ms for a few versions but this was reverted to due complexities with compacted topics.

This really only matters when the data produced is untrusted. eventgate-analytics-external and eventgate-logging-external accept events from external producers. Our code does the right thing, but there is nothing stopping someone from manually POSTing an event with a whacky meta.dt, which will be used for the Kafka timestamp. After we do T267648: Adopt conventions for server receive and client/event timestamps in non analytics event schemas, we should probably modify EventGate so that it always sets meta.dt itself, rather than accepting the producer's value if it is present.

This would help mitigate the potential problem, but it doesn't stop bugs in our code from emitting bad timestamps. Setting log.message.timestamp.difference.max.ms would, but I'm not sure what to do if we start using compacted topics.

Related Objects

Event Timeline

Ottomata created this task.May 14 2021, 5:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 14 2021, 5:09 PM
Ottomata added a project: Event-Platform.May 14 2021, 5:10 PM
odimitrijevic triaged this task as High priority.May 17 2021, 3:40 PM
odimitrijevic moved this task from Incoming to Operational Excellence on the Analytics board.
Ottomata added a comment.May 17 2021, 4:06 PM

I'd say this is medium to low priority and is something that needs to be worked on in collaboration with maintainers of other Kafka clusters.

Milimetric lowered the priority of this task from High to Medium.May 17 2021, 9:19 PM
BPirkle edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering.May 25 2021, 9:20 PM
BPirkle moved this task from Inbox to Later on the Platform Team Workboards (Clinic Duty Team) board.
Ottomata mentioned this in T284233: kafka-logging hosts running out of space on /srv.Jun 3 2021, 8:55 PM
Ottomata added a comment.Oct 21 2021, 7:20 PM

This happened today, somehow there were recentchange events with timestamps from around 2007 in the kafka stream.

odimitrijevic added a project: Data-Engineering.Jan 6 2022, 1:35 AM
odimitrijevic moved this task from Incoming (new tickets) to Apache Iceberg Migration on the Data-Engineering board.
odimitrijevic removed a project: Analytics.Jan 12 2022, 12:34 AM
Restricted Application added a project: Analytics. · View Herald TranscriptJan 12 2022, 12:34 AM
odimitrijevic removed a project: Analytics.Jan 12 2022, 12:49 AM
Restricted Application added a project: Analytics. · View Herald TranscriptJan 12 2022, 12:49 AM
JArguello-WMF removed a project: Analytics.Jun 6 2022, 5:21 PM
Ottomata added a comment.Jul 13 2022, 6:31 PM

Happened again today. There was a mediawiki.recentchange event with a 2015 timestamp.

Milimetric added a comment.Sep 20 2022, 9:15 PM

This is a nasty bug if Andrew happens to not be around, I just wanna ++ the tech debt value here.

jbond edited projects, added Data-Platform-SRE; removed SRE.May 23 2023, 12:52 PM
Ottomata added a comment.May 31 2023, 12:29 PM

Relevant:

https://cwiki.apache.org/confluence/display/KAFKA/KIP-937%3A+Improve+Message+Timestamp+Validation

Ottomata mentioned this in T335860: Implement job to transform mediawiki.page_content_change.Jun 20 2023, 8:30 PM
Ottomata mentioned this in T340492: [Epic] Set up multi DC Kafka stretch cluster.Jun 26 2023, 8:39 PM
JArguello-WMF moved this task from Apache Iceberg Migration to Tag with Icebox on the Data-Engineering board.Jun 29 2023, 11:08 PM
JArguello-WMF removed a project: Data-Engineering.Jun 29 2023, 11:09 PM
Restricted Application added a project: Data-Engineering. · View Herald TranscriptJun 29 2023, 11:09 PM
JArguello-WMF moved this task from Tag with Icebox to Event Platform Backlog on the Data-Engineering board.Jun 29 2023, 11:11 PM
JArguello-WMF added a project: Data Engineering and Event Platform Team.Jun 30 2023, 4:30 PM
JArguello-WMF moved this task from Data Eng Backlog to Event Platform Backlog on the Data Engineering and Event Platform Team board.Jun 30 2023, 4:38 PM
xcollazo mentioned this in T341134: Investigate drift between `dt` and `meta.dt`.Jul 5 2023, 2:27 PM
lbowmaker removed a project: Data Engineering and Event Platform Team.Nov 10 2023, 2:29 PM
Gehel moved this task from Incoming to Misc on the Data-Platform-SRE board.Dec 7 2023, 1:59 PM
Gehel moved this task from Misc to Watching on the Data-Platform-SRE board.Jul 9 2024, 12:50 PM
gmodena subscribed.Nov 6 2024, 3:10 PM
Ahoelzl moved this task from Event Platform Backlog to Backlog on the Data-Engineering board.Jan 18 2025, 12:02 AM
Ottomata moved this task from Backlog to Components on the Event-Platform board.Sep 17 2025, 3:05 PM
JMonton-WMF claimed this task.Oct 8 2025, 3:28 PM
JMonton-WMF added a comment.Oct 13 2025, 9:57 AM

There are 2 possible scenarios causing different issues:

  • Future timestamps that can block the Kafka's clean-up policy, filling disks.
  • Future or Past timestamps that could cause issues in Data processing pipelines.

    For the first one, it happens because the clean-up policy "delete" in Kafka only checks the first offset, and if it has passed the retention period, it is removed. If the first offset has a wrong date, for example, in the future, Kafka won't continue looking for other messages to be removed, and the topic will keep all the data until the "future date + retention" is reached, which can fill the disks.

    These 2 tickets https://phabricator.wikimedia.org/T267648, https://phabricator.wikimedia.org/T376026 already solved the biggest problem by setting the meta.dt manually rather than allowing clients to set any date.

    As commented here, reducing log.message.timestamp.difference.max.ms at broker level can cause issues in log compacted topics.

    Starting from Kafka v3.6.0, there is a new config (log.message.timestamp.after.max.ms) that can be set only for future events, which would solve the issue without affecting compacted topics.

    I guess upgrading from v1.1.0 to v3.6.0 is not a quick or simple solution for now.

    As an improvement, we can change the config log.message.timestamp.difference.max.ms in the topics created from logs, which are udp_localhost-info, udp_localhost-debug, udp_localhost-warning and, udp_localhost-err. Their cleanup.policy is "delete" and messages don't have keys in these topics, so they never will be compacted. And due to the nature of logs, there is no point on changing the policy to cleanup.policy "compact".

    This could be applied to other topics, although if Data pipelines are having issues with old timestamps, we might want to review each case as replying old messages could be a valid use case for data fixes. But I can apply the same config to some topics.

    @Ottomata, I'm not sure who can confirm this, it looks in general that this won't happen as the applications writing meta.dt are fixed, but I can change log.message.timestamp.difference.max.ms in the udp_localhost-* topics manually, so it won't happen on those in any case.
JMonton-WMF changed the task status from Open to In Progress.Oct 13 2025, 3:20 PM
JMonton-WMF edited projects, added Data-Engineering (Q2 FY25/26 October 1st - December 31th); removed Data-Engineering.Oct 14 2025, 2:06 PM
JMonton-WMF moved this task from Next Up to In progress on the Data-Engineering (Q2 FY25/26 October 1st - December 31th) board.
JMonton-WMF added a comment.Oct 15 2025, 8:45 AM

After some conversations, we have decide to not continue with this ticket until the cluster is upgraded to version >=3.6.0. (https://phabricator.wikimedia.org/T300102)

At that version of the cluster, we'll set message.timestamp.after.max.ms to a desired value and the cluster will reject future messages exceeding that value.

JMonton-WMF moved this task from In progress to Blocked/Paused on the Data-Engineering (Q2 FY25/26 October 1st - December 31th) board.Oct 15 2025, 8:58 AM
Ottomata mentioned this in T300102: Upgrade Kafka to from 1.x to later version.Oct 15 2025, 1:31 PM
JMonton-WMF changed the task status from In Progress to Open.Oct 15 2025, 3:27 PM
JMonton-WMF removed JMonton-WMF as the assignee of this task.
JMonton-WMF moved this task from Blocked/Paused to Next Up on the Data-Engineering (Q2 FY25/26 October 1st - December 31th) board.
JMonton-WMF removed a project: Data-Engineering (Q2 FY25/26 October 1st - December 31th).
JMonton-WMF subscribed.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits