Add TableConfigValidator and InstanceConfigValidator SPI for batch restart enforcement

[suvodeep-pyne]

Summary

• Adds TableConfigValidator and InstanceConfigValidator SPI interfaces in pinot-spi with list-based registries, enabling pre-mutation validation of table and instance configs
• Adds InstanceUtils.toInstance(InstanceConfig) reverse converter for the updateInstanceTags validation path
• Wires validator call sites into PinotTableRestletResource, PinotHelixResourceManager, PinotInstanceRestletResource, and TableConfigsRestletResource
• Introduces ConfigValidationException (extends RuntimeException) mapped to HTTP 400 at the REST boundary

Test plan

• InstanceUtilsTest.testToInstance() — roundtrip fidelity for all 4 instance types + unknown type error
• InstanceConfigValidatorRegistryTest — 5 tests: no-op when empty, rejection propagates, short-circuit, ordering, reset
• TableConfigValidatorRegistryTest — 5 tests: same coverage as above
• PinotHelixResourceManagerConfigValidationTest — 4 mocked tests: addInstance/updateInstance/updateInstanceTags rejection before persistence, passing validator allows persistence

[Copilot]

Pull request overview

Adds SPI hooks to validate table and instance configuration mutations before they’re persisted, enabling enforcement of batch restart / mutation rules and returning validation failures as client errors.

Changes:

• Introduces TableConfigValidator / InstanceConfigValidator SPIs and in-memory registries in pinot-spi.
• Adds ConfigValidationException for validator rejections and wires validator invocations into controller mutation paths.
• Adds InstanceUtils.toInstance(InstanceConfig) to reconstruct Instance objects for validation (notably for updateInstanceTags) and adds unit tests for the new behavior.

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pinot-spi/src/main/java/org/apache/pinot/spi/config/table/TableConfigValidator.java	New SPI interface for table config mutation validation.
pinot-spi/src/main/java/org/apache/pinot/spi/config/table/TableConfigValidatorRegistry.java	Registry for table validators; invoked before persistence.
pinot-spi/src/main/java/org/apache/pinot/spi/config/instance/InstanceConfigValidator.java	New SPI interface for instance mutation validation.
pinot-spi/src/main/java/org/apache/pinot/spi/config/instance/InstanceConfigValidatorRegistry.java	Registry for instance validators; invoked before persistence.
pinot-spi/src/main/java/org/apache/pinot/spi/exception/ConfigValidationException.java	Exception type used by validators to reject mutations.
pinot-controller/src/main/java/org/apache/pinot/controller/helix/core/PinotHelixResourceManager.java	Calls instance validators for add/update/updateTags prior to Helix persistence.
pinot-controller/src/main/java/org/apache/pinot/controller/api/resources/TableConfigValidationUtils.java	Calls table validators as part of existing table config validation flow.
pinot-controller/src/main/java/org/apache/pinot/controller/api/resources/TableConfigsRestletResource.java	Calls table validators when validating composite TableConfigs.
pinot-controller/src/main/java/org/apache/pinot/controller/api/resources/PinotTableRestletResource.java	Adds table config validation on the copy-table flow.
pinot-controller/src/main/java/org/apache/pinot/controller/api/resources/PinotInstanceRestletResource.java	Maps ConfigValidationException to HTTP 400 for instance mutation endpoints.
pinot-common/src/main/java/org/apache/pinot/common/utils/config/InstanceUtils.java	Adds toInstance(InstanceConfig) reverse conversion for validation usage.
pinot-common/src/test/java/org/apache/pinot/common/utils/config/InstanceUtilsTest.java	Tests round-trip fidelity and unknown-prefix handling for toInstance.
pinot-spi/src/test/java/org/apache/pinot/spi/config/table/TableConfigValidatorRegistryTest.java	Tests validator registry semantics (ordering, short-circuit, reset).
pinot-spi/src/test/java/org/apache/pinot/spi/config/instance/InstanceConfigValidatorRegistryTest.java	Tests validator registry semantics (ordering, short-circuit, reset).
pinot-controller/src/test/java/org/apache/pinot/controller/helix/core/PinotHelixResourceManagerConfigValidationTest.java	Verifies validators reject before persistence and allow persistence when passing.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 84.05797% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.31%. Comparing base (31eac83) to head (ab3b9d9).

Files with missing lines	Patch %	Lines
...er/api/resources/PinotInstanceRestletResource.java	0.00%	6 Missing ⚠️
...oller/api/resources/PinotTableRestletResource.java	0.00%	3 Missing ⚠️
...pinot/spi/exception/ConfigValidationException.java	50.00%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #18167      +/-   ##
============================================
+ Coverage     63.29%   63.31%   +0.01%     
  Complexity     1627     1627              
============================================
  Files          3226     3229       +3     
  Lines        196636   196705      +69     
  Branches      30401    30408       +7     
============================================
+ Hits         124466   124538      +72     
+ Misses        62192    62191       -1     
+ Partials       9978     9976       -2     

Flag	Coverage Δ
custom-integration1	100.00% <ø> (ø)
integration	100.00% <ø> (ø)
integration1	100.00% <ø> (ø)
integration2	0.00% <ø> (ø)
java-11	63.28% <84.05%> (+0.01%)	⬆️
java-21	63.27% <84.05%> (+0.01%)	⬆️
temurin	63.31% <84.05%> (+0.01%)	⬆️
unittests	63.30% <84.05%> (+0.01%)	⬆️
unittests1	55.28% <96.29%> (+0.02%)	⬆️
unittests2	34.97% <71.01%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[xiangfu0]

High-signal issues inline.

[xiangfu0]

This validator still runs inside validateConfig(), but addConfig()/updateConfig() call tuneConfig() only afterwards. That means the SPI is evaluating a different TableConfig than the one that is actually persisted, unlike the /tables endpoints where tuning happens before validation. A validator can therefore reject or allow the same mutation depending on which API the caller uses. If this SPI is meant to protect the stored config, it needs to run after tuning or in PinotHelixResourceManager.

[suvodeep-pyne]

Good catch on the ordering. I investigated what tuneConfig() actually modifies:

• applyTunerConfigs() — only indexing config (inverted indices, no-dictionary columns)
• ensureMinReplicas() — segment replication count
• ensureStorageQuotaConstraints() — quota config for dimension tables

None of these touch instance assignment, replica groups, pools, or server tags — the fields that config validators (like batch restart enforcement) inspect. So the pre-tuned and post-tuned configs are identical for validation purposes.

I considered moving the SPI call out of validateConfig() and into each mutation path after tuning, but that creates a maintenance risk: any new mutation endpoint that calls validateConfig() would silently skip SPI validation unless the caller remembers to invoke it separately. Keeping it in validateConfig() makes it a single checkpoint that can't be accidentally bypassed.

If a future tuner modifies fields that validators care about, the right fix at that point would be to move tuning before validateConfig() in the /tableConfigs paths (matching what /tables already does), rather than pulling the SPI call out.