[controller] Block pushes during rollback-origin retention; address Copilot

comments

Adds `checkRollbackOriginVersionCapacityForNewPush` which rejects a new push
while any ROLLED_BACK (or parent-side rollback-origin PARTIALLY_ONLINE)
version
is still within its retention window. The check runs on both the parent
(`VeniceParentHelixAdmin.incrementVersionIdempotent`) and the child
(`VeniceHelixAdmin.addVersion`), so the rejection surfaces synchronously to
the VPJ instead of failing only in async admin-message consumption on the
child.

Integration tests cover both the block (within retention) and the release
(after retention expires) paths.

Also addresses Copilot comments on PR #2688:
- #11 `assumeRolledBackIfUnreachable` is now empty for full-cluster rollbacks
  so unreachable regions don't inflate the ROLLED_BACK count.
- #14 If the region filter contains only unknown regions, skip the parent
  status update instead of falling through into full-cluster behavior.
- #15 If zero regions confirm ROLLED_BACK, leave parent status unchanged
  rather than downgrading to PARTIALLY_ONLINE on no evidence.

Author: misyel

internal/venice-test-common/src/integrationTest/java/com/linkedin/venice/endToEnd/TestPushAllowedAfterRollbackRetentionExpires.java

@@ -0,0 +1,127 @@
+package com.linkedin.venice.endToEnd;
+
+import static com.linkedin.venice.ConfigKeys.CONTROLLER_ROLLED_BACK_VERSION_RETENTION_MS;
+import static com.linkedin.venice.ConfigKeys.DEFAULT_MAX_NUMBER_OF_PARTITIONS;
+import static com.linkedin.venice.ConfigKeys.DEFAULT_PARTITION_SIZE;
+import static com.linkedin.venice.ConfigKeys.TOPIC_CLEANUP_SLEEP_INTERVAL_BETWEEN_TOPIC_LIST_FETCH_MS;
+import static com.linkedin.venice.utils.IntegrationTestPushUtils.createStoreForJob;
+import static com.linkedin.venice.utils.TestWriteUtils.NAME_RECORD_V3_SCHEMA;
+import static com.linkedin.venice.utils.TestWriteUtils.getTempDataDirectory;
+import static org.testng.Assert.assertFalse;
+import static org.testng.Assert.assertTrue;
+
+import com.linkedin.venice.controllerapi.ControllerClient;
+import com.linkedin.venice.controllerapi.ControllerResponse;
+import com.linkedin.venice.controllerapi.StoreResponse;
+import com.linkedin.venice.controllerapi.UpdateStoreQueryParams;
+import com.linkedin.venice.meta.Version;
+import com.linkedin.venice.meta.VersionStatus;
+import com.linkedin.venice.utils.IntegrationTestPushUtils;
+import com.linkedin.venice.utils.TestUtils;
+import com.linkedin.venice.utils.TestWriteUtils;
+import com.linkedin.venice.utils.Utils;
+import java.io.File;
+import java.io.IOException;
+import java.util.Properties;
+import java.util.concurrent.TimeUnit;
+import org.testng.annotations.Test;
+
+
+/**
+ * Companion to {@link TestPushBlockedByRollbackOriginGuard}: verifies that once the rolled-back
+ * retention window elapses, a new push is allowed through and becomes the next current version.
+ *
+ * <p>Retention is tuned to 5 seconds so the test can wait past it within its lifetime.
+ */
+public class TestPushAllowedAfterRollbackRetentionExpires extends AbstractMultiRegionTest {
+  private static final int TEST_TIMEOUT = 180_000; // ms
+  private static final long ROLLED_BACK_RETENTION_MS = TimeUnit.SECONDS.toMillis(5);
+
+  @Override
+  protected int getNumberOfRegions() {
+    return 1;
+  }
+
+  @Override
+  protected int getNumberOfServers() {
+    return 1;
+  }
+
+  @Override
+  protected int getReplicationFactor() {
+    return 1;
+  }
+
+  @Override
+  protected Properties getExtraControllerProperties() {
+    Properties controllerProps = new Properties();
+    controllerProps.put(DEFAULT_MAX_NUMBER_OF_PARTITIONS, 1);
+    controllerProps.put(DEFAULT_PARTITION_SIZE, 10);
+    controllerProps
+        .setProperty(TOPIC_CLEANUP_SLEEP_INTERVAL_BETWEEN_TOPIC_LIST_FETCH_MS, String.valueOf(Long.MAX_VALUE));
+    controllerProps.put(CONTROLLER_ROLLED_BACK_VERSION_RETENTION_MS, ROLLED_BACK_RETENTION_MS);
+    return controllerProps;
+  }
+
+  @Test(timeOut = TEST_TIMEOUT)
+  public void testPushSucceedsAfterRolledBackRetentionExpires() throws IOException, InterruptedException {
+    File inputDir = getTempDataDirectory();
+    TestWriteUtils.writeSimpleAvroFileWithStringToV3Schema(inputDir, 100, 100);
+    String inputDirPath = "file://" + inputDir.getAbsolutePath();
+    String storeName = Utils.getUniqueString("pushAllowedAfterRetention");
+
+    Properties props =
+        IntegrationTestPushUtils.defaultVPJProps(multiRegionMultiClusterWrapper, inputDirPath, storeName);
+    try (ControllerClient parentControllerClient = createStoreForJob(
+        CLUSTER_NAME,
+        "\"string\"",
+        NAME_RECORD_V3_SCHEMA.toString(),
+        props,
+        new UpdateStoreQueryParams())) {
+      IntegrationTestPushUtils.runVPJ(props);
+      TestUtils.waitForNonDeterministicPushCompletion(
+          Version.composeKafkaTopic(storeName, 1),
+          parentControllerClient,
+          30,
+          TimeUnit.SECONDS);
+      IntegrationTestPushUtils.runVPJ(props);
+      TestUtils.waitForNonDeterministicPushCompletion(
+          Version.composeKafkaTopic(storeName, 2),
+          parentControllerClient,
+          30,
+          TimeUnit.SECONDS);
+
+      // Rollback: v1 becomes current, v2 becomes ROLLED_BACK.
+      ControllerResponse rollbackResponse = parentControllerClient.rollbackToBackupVersion(storeName);
+      assertFalse(rollbackResponse.isError(), "rollback failed: " + rollbackResponse.getError());
+
+      TestUtils.waitForNonDeterministicAssertion(30, TimeUnit.SECONDS, () -> {
+        StoreResponse resp = parentControllerClient.getStore(storeName);
+        assertFalse(resp.isError(), "getStore error: " + resp.getError());
+        assertTrue(
+            resp.getStore().getVersion(2).isPresent()
+                && resp.getStore().getVersion(2).get().getStatus() == VersionStatus.ROLLED_BACK,
+            "Expected v2 to be ROLLED_BACK after rollback, got: " + resp.getStore().getVersion(2));
+      });
+
+      // Wait past the rolled-back retention so the guard allows the next push through.
+      // Buffer added to account for clock skew between latestVersionPromoteToCurrentTimestamp
+      // (set at rollback time) and this wait's wall clock.
+      Thread.sleep(ROLLED_BACK_RETENTION_MS + TimeUnit.SECONDS.toMillis(2));
+
+      // v3 push should now succeed; the rollback-origin guard must not block it past retention.
+      IntegrationTestPushUtils.runVPJ(props);
+      TestUtils.waitForNonDeterministicPushCompletion(
+          Version.composeKafkaTopic(storeName, 3),
+          parentControllerClient,
+          60,
+          TimeUnit.SECONDS);
+
+      StoreResponse finalStoreResponse = parentControllerClient.getStore(storeName);
+      assertFalse(finalStoreResponse.isError());
+      assertTrue(
+          finalStoreResponse.getStore().getVersion(3).isPresent(),
+          "Version 3 should have been created after retention expired");
+    }
+  }
+}

internal/venice-test-common/src/integrationTest/java/com/linkedin/venice/endToEnd/TestPushBlockedByRollbackOriginGuard.java

@@ -0,0 +1,143 @@
+package com.linkedin.venice.endToEnd;
+
+import static com.linkedin.venice.ConfigKeys.CONTROLLER_ROLLED_BACK_VERSION_RETENTION_MS;
+import static com.linkedin.venice.ConfigKeys.DEFAULT_MAX_NUMBER_OF_PARTITIONS;
+import static com.linkedin.venice.ConfigKeys.DEFAULT_PARTITION_SIZE;
+import static com.linkedin.venice.ConfigKeys.TOPIC_CLEANUP_SLEEP_INTERVAL_BETWEEN_TOPIC_LIST_FETCH_MS;
+import static com.linkedin.venice.utils.IntegrationTestPushUtils.createStoreForJob;
+import static com.linkedin.venice.utils.TestWriteUtils.NAME_RECORD_V3_SCHEMA;
+import static com.linkedin.venice.utils.TestWriteUtils.getTempDataDirectory;
+import static org.testng.Assert.assertFalse;
+import static org.testng.Assert.assertTrue;
+import static org.testng.Assert.fail;
+
+import com.linkedin.venice.controllerapi.ControllerClient;
+import com.linkedin.venice.controllerapi.ControllerResponse;
+import com.linkedin.venice.controllerapi.StoreResponse;
+import com.linkedin.venice.controllerapi.UpdateStoreQueryParams;
+import com.linkedin.venice.hadoop.VenicePushJob;
+import com.linkedin.venice.meta.Version;
+import com.linkedin.venice.meta.VersionStatus;
+import com.linkedin.venice.utils.IntegrationTestPushUtils;
+import com.linkedin.venice.utils.TestUtils;
+import com.linkedin.venice.utils.TestWriteUtils;
+import com.linkedin.venice.utils.Utils;
+import java.io.File;
+import java.io.IOException;
+import java.util.Properties;
+import java.util.concurrent.TimeUnit;
+import org.testng.annotations.Test;
+
+
+/**
+ * Integration test for {@link com.linkedin.venice.controller.VeniceHelixAdmin#checkRollbackOriginVersionCapacityForNewPush}.
+ *
+ * <p>After a rollback, v2 becomes ROLLED_BACK (on the parent, once propagated) and v1 becomes
+ * current. A new push within the rolled-back retention window should be rejected with a message
+ * that tells operators to wait for the rolled-back version to be cleaned up.
+ *
+ * <p>Config tuning: the min backup version cleanup delay is left at the default (0) so the
+ * generic pending-deletion guard does NOT fire first. The rolled-back retention is set to 1 minute
+ * so the rollback-origin guard reliably fires within the test lifetime.
+ *
+ * <p>This test is in its own class (separate from {@link TestPushBlockedWithinMinCleanupDelay}) so
+ * the two guards can be exercised in isolation with their respective configs.
+ */
+public class TestPushBlockedByRollbackOriginGuard extends AbstractMultiRegionTest {
+  private static final int TEST_TIMEOUT = 180_000; // ms
+
+  @Override
+  protected int getNumberOfRegions() {
+    return 1;
+  }
+
+  @Override
+  protected int getNumberOfServers() {
+    return 1;
+  }
+
+  @Override
+  protected int getReplicationFactor() {
+    return 1;
+  }
+
+  @Override
+  protected Properties getExtraControllerProperties() {
+    Properties controllerProps = new Properties();
+    controllerProps.put(DEFAULT_MAX_NUMBER_OF_PARTITIONS, 1);
+    controllerProps.put(DEFAULT_PARTITION_SIZE, 10);
+    controllerProps
+        .setProperty(TOPIC_CLEANUP_SLEEP_INTERVAL_BETWEEN_TOPIC_LIST_FETCH_MS, String.valueOf(Long.MAX_VALUE));
+    // Override the default 24h retention so the rollback-origin guard reliably fires during the test.
+    // CONTROLLER_BACKUP_VERSION_MIN_CLEANUP_DELAY_MS defaults to 0 in the test harness, which means
+    // the other (min-delay) guard does not fire here — ensuring this test exercises the rollback-origin
+    // guard and nothing else.
+    controllerProps.put(CONTROLLER_ROLLED_BACK_VERSION_RETENTION_MS, TimeUnit.MINUTES.toMillis(30));
+    return controllerProps;
+  }
+
+  @Test(timeOut = TEST_TIMEOUT)
+  public void testPushBlockedAfterRollbackWithinRolledBackRetention() throws IOException {
+    File inputDir = getTempDataDirectory();
+    TestWriteUtils.writeSimpleAvroFileWithStringToV3Schema(inputDir, 100, 100);
+    String inputDirPath = "file://" + inputDir.getAbsolutePath();
+    String storeName = Utils.getUniqueString("pushBlockedByRollbackOrigin");
+
+    Properties props =
+        IntegrationTestPushUtils.defaultVPJProps(multiRegionMultiClusterWrapper, inputDirPath, storeName);
+    try (ControllerClient parentControllerClient = createStoreForJob(
+        CLUSTER_NAME,
+        "\"string\"",
+        NAME_RECORD_V3_SCHEMA.toString(),
+        props,
+        new UpdateStoreQueryParams())) {
+      // Push v1, v2 so the store has two versions to roll back between.
+      IntegrationTestPushUtils.runVPJ(props);
+      TestUtils.waitForNonDeterministicPushCompletion(
+          Version.composeKafkaTopic(storeName, 1),
+          parentControllerClient,
+          30,
+          TimeUnit.SECONDS);
+      IntegrationTestPushUtils.runVPJ(props);
+      TestUtils.waitForNonDeterministicPushCompletion(
+          Version.composeKafkaTopic(storeName, 2),
+          parentControllerClient,
+          30,
+          TimeUnit.SECONDS);
+
+      // Rollback: v1 becomes current, v2 becomes ROLLED_BACK (PR #2688).
+      ControllerResponse rollbackResponse = parentControllerClient.rollbackToBackupVersion(storeName);
+      assertFalse(rollbackResponse.isError(), "rollback failed: " + rollbackResponse.getError());
+
+      // Wait for the parent's view to reflect v2 = ROLLED_BACK so the rollback-origin guard has
+      // something to find when the VPJ calls addVersion. Without this wait the parent's in-memory
+      // state can lag briefly behind the rollback admin message propagation.
+      TestUtils.waitForNonDeterministicAssertion(30, TimeUnit.SECONDS, () -> {
+        StoreResponse resp = parentControllerClient.getStore(storeName);
+        assertFalse(resp.isError(), "getStore error: " + resp.getError());
+        assertTrue(
+            resp.getStore().getVersion(2).isPresent()
+                && resp.getStore().getVersion(2).get().getStatus() == VersionStatus.ROLLED_BACK,
+            "Expected v2 to be ROLLED_BACK after rollback, got: " + resp.getStore().getVersion(2));
+      });
+
+      // Attempt v3 push; the parent-level rollback-origin guard should reject it synchronously
+      // so the VPJ throws with the guard's distinctive message.
+      try (VenicePushJob job = new VenicePushJob("venice-push-job-v3-" + storeName, props)) {
+        job.run();
+        fail("Expected VPJ to fail — rollback-origin guard should block v3 push within retention");
+      } catch (Exception e) {
+        String message = e.getMessage();
+        assertTrue(
+            message != null && message.contains("Retry after the rolled-back version is cleaned up"),
+            "Expected rollback-origin guard message, got: " + message);
+      }
+
+      StoreResponse finalStoreResponse = parentControllerClient.getStore(storeName);
+      assertFalse(finalStoreResponse.isError());
+      assertFalse(
+          finalStoreResponse.getStore().getVersion(3).isPresent(),
+          "Version 3 should NOT have been created after guard rejection");
+    }
+  }
+}

services/venice-controller/src/main/java/com/linkedin/venice/controller/VeniceHelixAdmin.java

@@ -22,6 +22,7 @@
 import static com.linkedin.venice.meta.VersionStatus.KILLED;
 import static com.linkedin.venice.meta.VersionStatus.NOT_CREATED;
 import static com.linkedin.venice.meta.VersionStatus.ONLINE;
+import static com.linkedin.venice.meta.VersionStatus.PARTIALLY_ONLINE;
 import static com.linkedin.venice.meta.VersionStatus.PUSHED;
 import static com.linkedin.venice.meta.VersionStatus.ROLLED_BACK;
 import static com.linkedin.venice.meta.VersionStatus.STARTED;
@@ -3238,6 +3239,11 @@ private Pair<Boolean, Version> addVersion(
 
           // Block the push if backup versions are pending deletion but still within the min cleanup delay.
           checkBackupVersionCleanupCapacityForNewPush(clusterName, storeName, store, store.getBackupStrategy());
+
+          // Block the push if any rollback-origin version (ROLLED_BACK, or rollback-origin
+          // PARTIALLY_ONLINE on the parent) is still within its retention window. Gives fat clients time
+          // to switch to the new version.
+          checkRollbackOriginVersionCapacityForNewPush(clusterName, storeName, store);
           backupStrategy = store.getBackupStrategy();
           offlinePushStrategy = store.getOffLinePushStrategy();
 
@@ -4574,6 +4580,55 @@ static void checkBackupVersionCleanupCapacityForNewPush(
     }
   }
 
+  /**
+   * Throws if starting a new push would violate the retention window for a rollback-origin version.
+   * Blocks when a {@code ROLLED_BACK} version exists, or when a {@code PARTIALLY_ONLINE} version
+   * sits above the current version (parent controller, region-filtered rollback).
+   * The block lifts once {@code latestVersionPromoteToCurrentTimestamp + rolledBackVersionRetentionMs}
+   * elapses; past that point, the version will be swept on the next SOP deletion pass.
+   */
+  private void checkRollbackOriginVersionCapacityForNewPush(String clusterName, String storeName, Store store) {
+    checkRollbackOriginVersionCapacityForNewPush(
+        clusterName,
+        storeName,
+        store,
+        multiClusterConfigs.getRolledBackVersionRetentionMs(),
+        System.currentTimeMillis());
+  }
+
+  /** Testable variant — config and time passed in. */
+  static void checkRollbackOriginVersionCapacityForNewPush(
+      String clusterName,
+      String storeName,
+      Store store,
+      long rolledBackVersionRetentionMs,
+      long currentTimeMs) {
+    long retentionExpiresAt = store.getLatestVersionPromoteToCurrentTimestamp() + rolledBackVersionRetentionMs;
+    if (currentTimeMs > retentionExpiresAt) {
+      // Past retention — SOP deletion will clean up any rollback-origin versions.
+      return;
+    }
+    int currentVersion = store.getCurrentVersion();
+    for (Version v: store.getVersions()) {
+      VersionStatus status = v.getStatus();
+      // PARTIALLY_ONLINE with number > currentVersion indicates a rollback-origin state
+      // (region-filtered rollback on the parent). Push-origin PARTIALLY_ONLINE has number == currentVersion.
+      boolean isRollbackOrigin =
+          status == ROLLED_BACK || (status == PARTIALLY_ONLINE && v.getNumber() > currentVersion);
+      if (isRollbackOrigin) {
+        throw new VeniceException(
+            String.format(
+                "Cannot start new push for store %s in cluster %s: version %d is %s from a rollback; "
+                    + "retention expires in %dms. Retry after the rolled-back version is cleaned up.",
+                storeName,
+                clusterName,
+                v.getNumber(),
+                status,
+                retentionExpiresAt - currentTimeMs));
+      }
+    }
+  }
+
   /**
    * For a given store, determine its versions to delete based on the {@linkplain BackupStrategy} settings and execute
    * the deletion in the cluster (including all its resources). It also truncates Kafka topics and Helix resources.
@@ -4599,7 +4654,25 @@ public void retireOldStoreVersions(
        * Clamp to at least 1 since retrieveVersionsToDelete rejects values < 1.
        */
       int numVersionToPreserve = Math.max(1, minNumberOfStoreVersionsToPreserve - (deleteBackupOnStartPush ? 1 : 0));
-      List<Version> versionsToDelete = store.retrieveVersionsToDelete(numVersionToPreserve);
+      List<Version> versionsToDelete = new ArrayList<>(store.retrieveVersionsToDelete(numVersionToPreserve));
+
+      // Include rollback-origin versions whose retention window has elapsed. retrieveVersionsToDelete
+      // deliberately skips ROLLED_BACK (handled by StoreBackupVersionCleanupService), but once past
+      // retention we can reclaim them at SOP as well.
+      long rolledBackRetentionExpiresAt =
+          store.getLatestVersionPromoteToCurrentTimestamp() + multiClusterConfigs.getRolledBackVersionRetentionMs();
+      if (System.currentTimeMillis() > rolledBackRetentionExpiresAt) {
+        int currentVersion = store.getCurrentVersion();
+        for (Version v: store.getVersions()) {
+          VersionStatus status = v.getStatus();
+          boolean isRollbackOrigin =
+              status == ROLLED_BACK || (status == PARTIALLY_ONLINE && v.getNumber() > currentVersion);
+          if (isRollbackOrigin && !versionsToDelete.contains(v)) {
+            versionsToDelete.add(v);
+          }
+        }
+      }
+
       if (versionsToDelete.isEmpty()) {
         return;
       }