Current state: under discussion
Discussion thread: here
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Apache Kafka is in the process of moving from storing metadata in Apache Zookeeper, to storing metadata in an internal Raft topic. KIP-500 described the overall architecture and plan. The purpose of this KIP is to go into detail about how the Kafka Controller will change during this transition.
Once this KIP is implemented, system administrators will have the option of running in KIP-500 mode. In this mode, we will not use ZooKeeper The alternative mode where KIP-500 support is not enabled will be referred to as legacy mode.
KIP-500 mode must be enabled for the entire cluster, not just for specific nodes. Initially, this mode will be considered experimental and not ready for production. As we do more testing and gain more confidence, we will remove the experimental label. Eventually, in a future release, KIP-500 mode will be the only supported mode. Since dropping support for legacy mode is an incompatible change, it will need to happen in a major release, of course.
Initially, we will not support upgrading a cluster from legacy mode to KIP-500 mode. This is in keeping with the experimental nature of KIP-500 mode. A future KIP will describe and implement an upgrade process from legacy mode to KIP-500 mode.
Before being used in KIP-500 mode, the storage directories on a node must be formatted. This requirement prevents system administrators from accidentally enabling KIP-500 mode by simply making a configuration change. Requiring formatting also prevents mistakes, since Kafka no longer has to guess if an empty storage directory is a newly directory or one where a system error prevented any data from showing up.
Currently, a ZooKeeper cluster must be deployed when running Kafka. This KIP will eliminate that requirement, as well as the requirement to configure the addresses of the zookeeper nodes on each broker.
Currently, any broker node can be elected as the controller. As part of this KIP, the active controller will instead be selected among a potentially smaller pool of nodes specifically configured to act as controllers. Typically three or five nodes in the cluster will be selected to be controllers.
System administrators will be able to choose whether to run separate controller nodes, or whether to run controller nodes which are co-located with broker nodes. Kafka will provide support for running a controller in the same JVM as a broker, in order to save memory and enable single-process test deployments.
The addresses and ports of the controller nodes must be configured on each broker, so that the broker can contact the controller quorum when starting up. This is similar to how we configure the ZooKeeper quorum on each node today.
Note that as long as at least one of the provided controller addresses is valid, the broker will be able to learn about the current metadata quorum and start up. Once the broker is in contact with the metadata quorum, the quorum bootstrap addresses will not be needed. This makes it possible to reconfigure the metadata quorum over time. For example, if we start with a metadata quorum of host1, host2, host3, we could replace host3 with host4 without disrupting any of the brokers. Then we could roll the brokers to apply the new metadata quorum bootstrap configuration of host1, host2, host4 on each one.
We define a node here as a tuple consisting of a node ID and a process role. Roles are defined by the `process.roles` configuration. As explained above, in a co-located configuration, a single process may take both the "controller" and "broker" roles. The node ID for both of these roles will be defined by the `node.id` configuration. However, this is mainly for configuration convenience. Semantically, we view the co-located process as representing two distinct nodes. Each node has its own listeners and its own set of APIs which it exposes. The APIs exposed by a controller node will not be the same as those exposed by a broker node.
Automatic node ID assignment via ZooKeeper will no longer be supported in KIP-500 mode. Node IDs must be set in the configuration file.
Controller processes will listen on a separate endpoint from brokers. This will be true even when the broker and controller are co-located in the same JVM.
In a well-run Kafka deployment, controller ports, like ZooKeeper ports, should be firewalled off from clients. This will prevent clients from disrupting the cluster by flooding the controller ports with requests. In the realm of ACLs, this translates to controllers requiring CLUSTERACTION on CLUSTER for all operations. (KIP-590 describes how users' administrative requests will be forwarded to the controller quorum as needed.)
The only time when clients should contact a controller node directly is when they are debugging system issues. This is similar to ZooKeeper, where we have things like zk-shell, but only for debugging.
Note that controllers do not appear in the MetadataResponses given to clients.
The Metadata Topic
As described in KIP-500, the controller will store its data in the internal __cluster_metadata topic. This topic will contain a single partition which is managed by Raft, as described in KIP-595: A Raft Protocol for the Metadata Quorum.
The leader of the controller quorum will be the active controller. The followers will function as hot standbys, ready to take over when the active leader fails or resigns. The metadata will be stored in memory on all of the controllers.
Persistence and Visibility
Metadata changes need to be persisted to the __cluster_metadata log before we apply them on the other nodes in the cluster. This means waiting for the metadata log's last stable offset to advance to the offset of the change. After that point, we are guaranteed not to lose the change as long as we uphold the Raft invariants.
Changes that we haven't yet persisted are referred to as "uncommitted." The active controller may have several of these uncommitted changes in flight at any given time. In essence, the controller's in-memory state is always a little bit in the future compared to the current state. This allows the active controller to continue doing things while it waits for the previous changes to be committed to the Raft log.
However, this "future state" may never be committed. For example, the active controller might fail, truncating some of its future state. Therefore, the active controller must not make this future state "visible" to the rest of the cluster until it has been made persistent – that is, until it becomes current state. In the case of the __cluster_metadata topic, the replication protocol itself neatly takes care of this for us. In the case of controller RPCs like AlterIsr, the controller handles this by not sending back a response until the designated change has been persisted.
The active controller makes changes to the metadata by appending records to the log. Each record has a null key, and this format for its value:
- an unsigned varint specifying the frame type (currently 0)
- an unsigned varint specifying the record type.
- an unsigned varint specifying the record version
- the payload in Kafka RPC format
For example, if we wanted to encode a TopicRecord, we might have 0 encoded as a varint, 1 encoded as a varint, followed by 0 as the record version, followed by the serialized topic data.
The frame type, record type, and version will typically only take one byte each, for a total overhead of three bytes.
Record Format Versions
There are two ways to evolve the format of a KIP-500 record. One is to add KIP-482 optional tagged fields. These will be ignored by older software, but can contain additional data for new software to handle. The other choice is to bump the version of the record.
In the pre-KIP-500 world, we had the inter-broker protocol (IBP) setting to control what RPC versions the controller used to communicate with the brokers. This allowed us to evolve the inter-broker RPC format over time. We also used it to gate many other features, such as metadata format changes. In the post-KIP-500 world, the analogous setting is the metadata.format KIP-584 feature flag. This setting controls the snapshot and delta formats which the controller will use.
As time goes on, the number of records will grow and grow, even if the total size of the metadata stays constant. Therefore, periodically, we need to consolidate all the metadata deltas into a snapshot.
Like the metadata log, the snapshot is made up of records. However, unlike the log, in which there may be multiple records describing a single entity, the snapshot will only contain the minimum number of records needed to describe all the entities.
Snapshots are local to each replica. For example, replica A may have a snapshot at offset 100, and deltas up to offset 150, whereas replica B may have a snapshot at 125 and deltas up to offset 150. Any snapshot must be usable as a starting point for loading the entire state of metadata. In other words, a new controller node must be able to load the a snapshot, and then apply all the edits which follow it, and come up-to-date.
The currently active controller will monitor the offset of the latest snapshot made by all replicas, including itself. The snapshotting state of each node is considered soft state: it is not persisted anywhere in the log, but purely communicated by heartbeats and stored in memory by the active controller.
Broker Registration and State Management
The Three Cluster Membership States
Currently, from the perspective of ZooKeeper, there are two states brokers can be in: registered, and not registered. When brokers are registered, other brokers can find their network endpoints in order to communicate with them. They are also part of the MetadataResponse communicated back to clients. When they are not registered, neither of those are true.
In the post-KIP-500 world, there will be three cluster membership states: unregistered, registered but fenced, and registered and active. Just like today, unregistered means that there is no registration information and no way to reach the broker. It is effectively not part of the cluster. In the two registered states, in contrast, contact information is available. However, in the "registered but fenced" state, the contact information might no longer be valid. For example, if a broker crashes and is not restarted, it will end up in "registered but fenced" state.
A broker only appears in MetadataResponse if it is in the "registered and active" state. If it is in the unreigstered state, or the "registered and fenced" state, it will not appear in MetadataResponse.
Essentially, registration relates to the permanent state of the cluster: the number of brokers we expect to have, what racks we expect them to be in, and so on. Fencing refers to the transitory state of the cluster: which brokers are currently available.
By separating the permanent state from the transitory state, we can more effectively handle transitory issues. For example, if you have a 3 node cluster that is undergoing rolling upgrade, one of the nodes might be down because it is rolling. However, we should still allow users to create new topics with replication factor 3. Currently, that is not possible, because the node's registration information gets wiped the moment its ZK registration goes away. With KIP-631, the registration remains, although the node becomes fenced. Another example is doing reassignment on a cluster where one or more nodes is down. Currently, when a node is down, all of its ZK registration information is gone. But we need this information in order to understand things like whether the replicas of a particular partition are well-balanced across racks.
Every distributed system needs a way of managing cluster membership. Prior to KIP-500, Kafka brokers registered ephemeral znodes in order to register themselves as part of the cluster. The Kafka controller passively consumed the registration information from Zookeeper.
In the post-KIP-500 world there is no ZooKeeper and no ephemeral znodes. Instead, each broker registers itself with the active controller using a BrokerRegistrationRequest. The active controller assigns the broker a new broker epoch, based on the next available offset in the log. The new epoch is guaranteed to be higher than any previous epoch that has been used for the given broker id.
Each registration request contains a UUID which identifies the process which sent it. This ID is called the incarnation ID. This ensures that if the response to the registration request is lost, the broker can simply re-send the registration RPC and get the same successful result as before.
Registration requests also have information about the feature flags which the broker software supports. The controller will refuse to register brokers if they don't support the feature flags which are active in the cluster. In this case, the sysadmin needs to upgrade the broker software before it can be added to the cluster.
Handling Broker ID Conflicts
The controller only allows one broker process to be registered per broker ID. Of course, broker processes go away occasionally-- for example, if a broker crashes. A broker ID can be reused once a certain amount of time has gone past without any contact with the previous incarnation of the broker.
For the purpose of this section, handling a registration request or a broker heartbeat request are both considered forms of contact (even if the broker is fenced).
When the broker first starts up, it doesn't want to be unfenced immediately. The reason is because it needs time to perform log recovery and some other startup tasks. It is good for the broker to be fenced during this time, so that clients do not try to contact it and fail. The broker indicates that it is not ready to be unfenced by setting ShouldFence = true in the heartbeats it sends out during this period.
Once the broker is ready to be unfenced, it starts setting ShouldFence = false in the heartbeats it sends out. This makes it eligible for unfencing. However, the controller will not actually unfence the broker unless its metadata is reasonably current. The controller determines this by examining the metadata offset in the heartbeat request.
As mentioned earlier, brokers which are fenced will not appear in MetadataResponses. So clients that have up-to-date metadata will not try to contact fenced brokers.
Broker leases are time-bounded. Once the period has elapsed, if the broker has not renewed its lease via a heartbeat, it will be fenced.
In the pre-KIP-500 world, brokers triggered a controller shutdown by making an RPC to the controller. When the controller returned a successful result from this RPC, the broker knew that it could shut down.
In the post-KIP-500 world, controller shutdown is handled by the broker heartbeat system instead. In its periodic heartbeats, the broker asks the controller if it can transition into the controlled shutdown state. It does this by setting the WantShutDown boolean. This motivates the controller to move all of the leaders off of that broker. Once they are all moved, the controller responds to the heartbeat with ShouldShutDown = true. At that point, the broker knows it's safe to begin the shutdown process proper.
The Broker State Machine
This is the state that the broker is in before it has started up. When the broker starts up, it transitions to STARTING.
While the broker is in this state, it is trying to catch up with the latest metadata. It fetches the metadata from the controller quorum. Once it has finished catching up, it transitions to the RECOVERY state.
The broker is in this state while it is starting the log manager. If the shutdown was clean, the broker will leave this state very quickly. If the shutdown was unclean, the broker will stay in this state until log recovery is complete.
Once log recovery is done, the broker will start listening on the socket server. It will then ask the controller to unfence it. Once the controller agrees, it will transition to the RUNNING state.
The broker is in this state when it's up and running.
The broker is in this state when it has received a SIGTERM and is trying to shut down.
The broker is in this state when controlled shutdown has finished and it is shutting down.
Changes in the Broker State Machine
The numeric constants exposed through the metrics API have not changed, and there are no new or removed states.
The main change in the broker state machine is that the RECOVERING_FROM_UNCLEAN_SHUTDOWN state has been renamed to RECOVERY. Also, unlike previously, the broker will always pass through RECOVERY (although it may only stay in this state for a very short amount of time).
Just like the ZooKeeper-based controller, the quorum controller will implement the KIP-455 partition reassignment API. This API specifies both alter and list operations.
The alter operation specifies a partition, plus a target replica list. If the target replica list is a subset of the partition's current replica list, and the new replica list contains at least one member of the current ISR, then the reassignment can be completed immediately. In this case, the controller issues a PartitionChangeRecord changing the replica set and ISR (if appropriate).
On the other hand, if the new replica list has additional replicas, or specifies a subset of replicas that doesn't intersect with the current ISR, then we add the additional replicas to the replica list, and wait for the ISR to catch up.
So, for example, if the old replica list was [1, 2, 3], and the new list was [3, 4, 5], we would proceed as follows:
- change the replica list to [1, 2, 3, 4, 5], and set addingReplicas to [4, 5]
- Wait for an alterIsr which adds both broker 4 and 5
- Change the replica list to [3, 4, 5 ] and prune the ISR accordingly. Remove addingReplicas.
Just like with the ZooKeeper-based controller, the new controller stores reassignments as "hard state." Reassignments will continue even after a controller failover or broker shutdown and restart. Reassignment state appears in controller snapshots, as addingReplicas and removingReplicas.
Unlike the old controller, the quorum controller does not prevent topics that are undergoing reassignment from being deleted. If a topic is deleted, then any partition reassignments that it had are terminated.
Typically, reassignments which require ISR changes are completed by a leader adding some new replicas, via the alterIsr RPC. (Note that another possible way for a reassignment to be completed is via a broker being added to a partition ISR during unfencing).
When a broker makes an alterIsr change that completes a reassignment, the resulting ISR will be different than requested. For example, if the leader is 1, and the current ISR is 1, 2, 3, and the target replica set is 1, 2, 4, when the leader tries to change the ISR to 1, 2, 3, 4, the controller will change it to 1, 2, 4 instead, completing the reassignment. Since the alterIsr response returns the actual ISR which was actually applied, the leader will apply this new ISR instead.
If the new ISR would does not contain the leader which made the alterIsr call, the controller returns FENCED_LEADER_EPOCH. This will notify the broker that it should wait until it can replay the latest partition change from the log. That partition change record will make this broker a follower rather than a leader.
When a storage directory is in use by a cluster running in kip-500 mode, it will have a new version of the meta.properties file. Since the current version is 0, the new version will be 1. Just as in version 0, meta.properties will continue to be a Java Properties file. This essentially means that it is a plain text file where each line has the format key=value.
In version 0 of meta.properties, the cluster.id field is optional. In contrast, in version 1 it is mandatory.
In version 0 of meta.properties, the cluster.id field is serialized in hexadecimal. In contrast, in version 1 it is serialized in base64.
Version 1 of meta.properties replaces the broker.id field with node.id.
For servers running in kip-500 mode, the `meta.properties` file must be present in every log directory. The process will raise an error during startup if if either the meta.properties file does not exist or if the node.id found does not match what the value from the configuration file.
Here is an example of a version 1 meta.properties file:
There will be a new command-line tool, kafka-storage.sh.
kafka-storage.sh will have three subcommands: info, format, and random-uuid.
The info command will give information about the configured storage directories. Example output:
When running kip-500 mode, the storage directories must be formatted using this command prior to starting up the brokers and controllers.
If any of the storage directories are formatted, the command will normally fail. This behavior can be changed by passing the --ignore-formatted option. When this option is passed, the format command will skip over already formatted directories rather than failing.
The random-uuid command prints out a random UUID to stdout.
There will also be new command-line tool named kafka-cluster.sh.
kafka-storage.sh will have two subcommands: id and unregister.
The ID command prints out the cluster id
The decommission command removes the registration of a specific broker ID. It will use make an UnregisterBrokerRequest in order to do this.
Changes to kafka-dump-log-segments.sh
kafka-dump-log-seguments.sh will have two new flags: --cluster-metadata-decoder, and --skip-record-metadata.
The --cluster-metadata-decoder flag will tell the DumpLogSegments tool to decode the records as KIP-500 metadata. Each record will be output in the following JSON format:
The --skip-record-metadata flag will skip printing metadata for each record. However, metadata for each record batch will still be printed when this flag is present.
The Kafka Metadata shell is a new command which allows users to interactively examine the metadata stored in a KIP-500 cluster.
It can read the metadata from the controllers directly, by connecting to them, or from a metadata snapshot on disk. In the former case, the quorum voters must be specified by passing the --controllers flag; in the latter case, the snapshot file should be specified via --snapshot.
The metadata tool works by replaying the log and storing the state into in-memory nodes. These nodes are presented in a fashion similar to filesystem directories. For browsing the nodes, several commands are supported:
The interface of the metadata tool is currently considered unstable and may change when KIP-500 becomes production-ready.
|Configuration Name||Possible Values||Notes|
If this is null (absent) then we are in legacy mode.
Otherwise, we are in KIP-500 mode and this configuration determines what roles this process should play: broker, controller, or both.
If non-null, this must be a comma-separated list of listener names.
When communicating with the controller quorum, the broker will always use the first listener in this list.
A comma-separated list of the names of the listeners used by the KIP-500 controller. This configuration is required if this process is a KIP-500 controller. The legacy controller will not use this configuration
Despite the similar name, note that this is different from the "control plane listener" introduced by KIP-291.
A comma-separated list of the configured listeners. For example,
INTERNAL://22.214.171.124:9092, EXTERNAL://10.1.1.5:9093, CONTROLLER://126.96.36.199:9094
|This configuration is now required.|
|sasl.mechanism.controller.protocol||SASL mechanism used for communication with controllers. Default is GSSAPI.||This is analogous to sasl.mechanism.inter.broker.protocol, but for communication with the controllers.|
If non-null, this must be a comma-separated list of all the controller voters, in the format:
When in KIP-500 mode, each node must have this configuration, in order to find out how to communicate with the controller quorum.
Note that this replaces the "quorum.voters" config described in KIP-595.
This configuration is required for both brokers and controllers.
|node.id||a 32-bit ID|
This configuration replaces `broker.id` for zk-based Kafka processes in order to reflect its more general usage. It serves as the ID associated with each role that the process is acting as.
For example, a configuration with `node.id=0` and `process.roles=broker,controller` defines two nodes: `broker-0` and `controller-0`.
|initial.broker.registration.timeout.ms||60000||When initially registering with the controller quorum, the number of milliseconds to wait before declaring failure and exiting the broker process.|
|broker.heartbeat.interval.ms||3000||The length of time between broker heartbeats.|
|broker.session.timeout.ms||18000||The length of time that a broker lease lasts if no heartbeats are made.|
|metadata.log.dir||If set, this must be a path to a log directory.||This configuration determines where we put the metadata log. if it is not set, the metadata log is placed in the first log directory from log.dirs.|
|controller.quorum.fetch.timeout.ms||Maximum time without a successful fetch from the current leader before a new election is started.||New name for quorum.fetch.timeout.ms|
|Maximum time without collected a majority of votes during the candidate state before a new election is retried||New name for quorum.election.timeout.ms|
|controller.quorum.election.backoff.max.ms||Maximum exponential backoff time (based on the number if retries) after an election timeout, before a new election is triggered.||New name for quorum.election.backoff.max.ms|
|controller.quorum.request.timeout.ms||Maximum time before a pending request is considered failed and the connection is dropped||New name for quorum.request.timeout.ms|
|controller.quorum.retry.backoff.ms||Initial delay between request retries. This config and the one below is used for retriable request errors or lost connectivity and are different from the election.backoff configs above||New name for quorum.retry.backoff.ms|
|controller.quorum.retry.backoff.max.ms||Max delay between requests. Backoff will increase exponentially beginning from ||New name for quorum.retry.backoff.max.ms|
|control.plane.listener.name||We no longer need to maintain a separate listener for messages from the controller, since the controller does not send messages out any more (it receives them).|
|broker.id.generation.enable||Automatic broker ID generation is no longer supported.|
|zookeeper.*||We no longer need configurations for ZooKeeper.|
New Error Codes
There will be a new error code, DUPLICATE_BROKER_REGISTRATION, that the active controller will return when a broker tries to register with an ID that is currently in use.
There will be a new error code, INVALID_CLUSTER_ID, that the controller will return if the broker tries to register with the wrong cluster ID.
There will be a new AdminClient RPC, unregisterBroker.
Obsoleting the Metadata Propagation RPCs
As discussed earlier, the new controller will use FetchRequest to fetch metadata from the active controller. The details of how Raft fetching will work are spelled out in KIP-595: A Raft Protocol for the Metadata Quorum.
Since we propagate the metadata via Raft, we will no longer need to send out LeaderAndIsrRequest, UpdateMetadataRequest, and StopReplicaRequest. These requests will be sent out only when we're in legacy mode, not when we're in KIP-500 mode. Eventually we will add some support for these requests to the new controller, in order to support rolling upgrade from a pre-KIP-500 release. However, for the purpose of this KIP, the new controller will not use these requests.
Obsoleting the Controlled Shutdown RPC
The broker heartbeat mechanism replaces the controlled shutdown RPC. Therefore, we will not need to support the this RPC any more in the controller-- except for compatibility during upgrades, which will be described further in a follow-on KIP.
This KIP builds on top of the work done in KIP-516 to improve how partitions are tracked.
Because each topic is identified by a unique topic UUID, we can implement topic deletion with a single record, RemoveTopicRecord. Upon replaying this record, each broker will delete the associated topic if it is present.
Of course, some brokers may be down when the topic is deleted. In fact, some brokers may never see the RemoveTopicRecord. This record may get collapsed into one of the periodic metadata snapshots. If this happens, the record will be reflected in the snapshot through the absence of a broker record, not its presence. Therefore, during the startup process, brokers must compare the log directories that they have with the ones contained in the latest metadata. The appropriate time to do this is at the start of the RECOVERY phase. At this point, the broker has the latest metadata.
Required ACLs: CLUSTERACTION on CLUSTER
Required ACLs: CLUSTERACTION on CLUSTER
As described earlier, the broker periodically sends out a heartbeat request to the active controller.
The controller will wait to unfence a broker until it sends a heartbeat where ShouldFence is false and CurrentMetadataOffset is caught up.
If the heartbeat request has ShouldShutDown set, the controller will try to move all the leaders off of the broker.
The controller will set ControlledShutdownOk if the broker is cleared to execute a controlled shutdown. In other words, if it has no leaderships.
The controller will return NOT_CONTROLLER if it is not active. Brokers will always return NOT_CONTROLLER for these RPCs.
Required ACLs: ALTER on CLUSTER
The UnregisterBrokerRequest asks the controller to unregister a broker from the cluster.
The valid response codes are:
- NONE if the unregistration succeeded or if the broker was already unregistered.
- NOT_CONTROLLER if the node that the request was sent to is not the controller
- UNSUPPORTED_VERSION if KIP-500 mode is not enabled
The offset delta between the latest metadata record this controller has replayed and the last stable offset of the metadata topic.
|kafka.controller:type=KafkaServer,name=MetadataLag||The offset delta between the latest metadata record this broker has replayed and the last stable offset of the metadata topic.|
|kafka.controller:type=KafkaController,name=MetadataCommitLatencyMs||The latency of committing a message to the metadata topic. Relevant on the active controller.|
|kafka.controller:type=KafkaController,name=MetadataCommitRatePerSec||The number of metadata messages per second committed to the metadata topic.|
New name for kafka.controller:type=KafkaController,name=SnapshotLag
The offset delta between the latest stable offset of the metadata topic and the offset of the last snapshot (or the last stable offset itself, if there are no snapshots)
Unused Metrics in KIP-500 Mode
We will deprecate these metrics as soon as legacy mode is deprecated. For now, they will be unused in KIP-500 mode.
No longer needed when running in KIP-500 mode because we won't have any ZK sessions
Compatibility, Deprecation, and Migration Plan
As described above, this KIP outlines a new mode that the broker can run in, KIP-500 mode. For now, this mode will be experimental, and there will be no way to migrate existing clusters from legacy mode to KIP-500 mode. We plan on outlining how this upgrade process will work in a follow-on KIP. We do plan on deprecating legacy mode eventually, but we are not quite ready to do it yet in this KIP.
Since KIP-500 mode is currently in a pre-alpha state, we do not guarantee that future versions will support upgrading from the current version of it yet. Once it is more stable, we will have a more traditional binary compatibility regime.
Suport Automatic Broker ID Assignment
This KIP proposes to drop support for automatic broker ID assignment. What if we decided to continue to support it?
If we were willing to take a little bit more complexity on board, it would be relatively easy to support automatic broker ID assignment. Brokers could simply ask the active controller to assign them a new ID when starting up, just as they previously obtained one from ZooKeeper.
However, automatic controller ID assignment is a much more difficult problem. We never actually supported automatically assigning ZooKeeper IDs, so there is no pattern to follow here. In general, Raft assumes that nodes know their IDs before the protocol begins. We cannot rely on random assignment because the 31 bit space is not large enough. We could perhaps create a separate protocol for assigning node IDs, but it might be complex.
In general it's not clear how useful automatic broker ID assignment really is. Configuration management software like Puppet, Chef, or Ansible can easily create a new ID for each node's configuration file. Therefore, it's probably best to use this compatibility break to drop support for automatic broker ID assignment.
Combined Heartbeats and Fetch Requests
The brokers are always fetching new metadata from the controller. Why not combine these fetch requests with the heartbeat requests, so that the brokers only have to send one request rather than two?
The main reason for making them separate requests is to have better separation of concerns. Fetching metadata is logically a bit different than sending a heartbeat, and coupling them could result in a messy design and code. We would have to add significant extra complexity to the FetchRequest schema. Perhaps even worse, we would need to make the timing of fetch requests line up with the timing needed for broker heartbeats.