KAFKA-19883: [DRAFT] KIP-1289 — Transactional acknowledgments for share groups (state machine + client API + wire schema)

[Shekharrajak]

Share groups (KIP-932) have no equivalent of sendOffsetsToTransaction. There is no way to atomically bind a share-group acknowledgment to a producer transaction, blocking EOS for share-group-based read-process-write pipelines.

Description

This is the foundational layer for KIP-1289. It does not include the broker-side RPC handler (follow-up PR).

• RecordState — new TX_PENDING state (server module)
• InFlightState — transactional staging (server module)
• ShareGroupMetadata (clients module) - ShareConsumer.shareGroupMetadata() — fires a background event to read live membership state from ShareMembershipManager
• Wire schema (clients module)- TxnShareAcknowledgeRequest / TxnShareAcknowledgeResponse (apiKey 93, v0)
• Producer EOS flow (clients module) - Producer.sendShareAcknowledgementsToTransaction(

tests

• RecordStateTest — full 6-state transition matrix including all TX_PENDING paths
• InFlightStateTxnTest

follow up

• Broker-side handleTransactionnShareAcknowledge handler in Kafka Apis.scala
• ShareCoordinatorShard.replayEndTransactionMarker() real body
• SharePartition TX_PENDING acquisition exclusion
• IT tests (require broker handler)

[Shekharrajak]

TX_PENDING is the bridge state that holds the record - between aquired and ack (or archived)

[Shekharrajak]

validation for tx_pending state - it should be after AQUIRED , before acknowledged or archiving

[Shekharrajak]

we need fencing to ensure only the right producer can confirm.
The confirmation can come from different RPC call from a different broker/server.

[Shekharrajak]

TxnShareAcknowledgeRequest will be sent from produer at client side with all producer deails

[Shekharrajak]

(firstOffset, lastOffset, ackType) triples -> this will help in pointing to records which is already on the broker's log.

[Shekharrajak]

Same implementation as sendOffsetsToTransaction() transactionManager.sendOffsetsToTransaction(offsets, groupMetadata);

[Shekharrajak]

Drafting txn Coord side of the changes.

[Shekharrajak]

per-partition dispatch

[Shekharrajak]

sharePartition.stageTxnAcknowledge(memberId, producerId, producerEpoch, acknowledgePartitionBatches)

[Shekharrajak]

iterates every SharePartition on this broker, each iterates its InFlightStates, each checks (state == TX_PENDING && stagedProducerId == producerId && stagedProducerEpoch == epoch) and apply the marker for all the share partitions.

This can be improved but InFlightState.applyTxnMarker is O(1) operation

[Shekharrajak]

After auth check for each marker calling share parititon manager - since share partition manager is responsible for finding share partition and apply

[Shekharrajak]

below startOffset - already acknowledged

[Shekharrajak]

return throwable : signalling pattern

[Shekharrajak]

break if there is one stage txn failed with any exception - if previous ones are success, then those updated with txn_pending state but current txn batch not.

transaction will abort and applyTxnMarker(ABORT) will revert them to AVAILABLE both batch ( batch 1, which was succeed and batch 2 which got failed in some step - and after the txn timeout it will also be aborted)

# user code : 
try {
    producer.sendShareAcknowledgementsToTransaction(acks, shareGroupMeta);  // ← throws
    producer.commitTransaction();
} catch (KafkaException e) {
    producer.abortTransaction();  // ← this is what reverts the records state back to 
}

[Shekharrajak]

We must have same semantics as KafkaProducer.sendOffsetsToTransaction

Retry contract (catch KafkaException → abortTransaction() → retry loop)
• Distinction between fatal vs abortable vs retriable errors
• Producer reuse semantics after abort

[Shekharrajak]

Transactional REJECT received
-> validate ownership/session/producer fencing
-> persist pending transactional reject
-> no DLQ write yet

Transaction COMMIT marker
-> materialize REJECT
-> if DLQ disabled: ARCHIVED
-> if DLQ enabled: ARCHIVING, then DLQ enqueue, then ARCHIVED

Transaction ABORT marker
-> discard pending REJECT
-> no DLQ write
-> record becomes retryable according to share lock/member rules

[AndrewJSchofield]

Thanks for the PR.

Personally, I would prefer if there was no PR for such a complicated KIP until it has successfully passed a vote. Without serious review by committers knowledgeable in the areas of share groups and transactions, the KIP would not yet be able to pass a vote. It will need +3 binding votes.

There are many details which need to be agreed by the committers before we are there. For example, we will need to have a new transaction.version and new share.version to ensure that we correctly police these schema changes to the information on the internal metadata topics, and only enable the feature once all brokers in the cluster are ready. We would typically break down the code into many PRs so that the chunks are reviewable with reasonable effort. For example, I would do the feature changes first, then the JSON RPC schemas, and then gradually introduce the actual logic. I suggest KIP-1191 and https://issues.apache.org/jira/browse/KAFKA-19469 as a good example of breaking the code down and introducing it progressively (that's one I'm actively reviewing for AK 4.4).

Finally, we would not accept a KIP like this directly into Apache Kafka as a GA feature without some kind of Early Access or Preview release, so the feature bump also allows us to pace its enablement with the successful completion of an extended period of system testing.

My suggestion would be to close the PR, concentrate on fleshing out the KIP and building alignment with committers.

[Shekharrajak]

For transactional REJECT with DLQ enabled, the coordinator must preserve staged ARCHIVING on commit.
The source SharePartition owns DLQ phase 2; after reload it resumes ARCHIVING, writes
the DLQ record, and then archives the share-state batch.

[Shekharrajak]

one producer transaction can include share acks whose source partitions map to multiple __share_group_state partitions. So this helper method will help in IT

We must try out some better way of doing it.

[Shekharrajak]

proves commit+reject with DLQ enabled writes one DLQ record and ends in ARCHIVED.

[Shekharrajak]

preserves staged delivery state instead of converting ARCHIVING to ARCHIVED.

[Shekharrajak]

covers duplicate marker idempotency.

[Shekharrajak]

Share ack transaction staging/finalization internals now use txnOwnerId / txnOwnerEpoch across SharePartition, SharePartitionManager, InFlightState, InFlightBatch, and share coordinator
completion paths.

This will help in external procesing engine to use it as txn and engine coord will run commit during checkpoint or completion of all the jobs

[Shekharrajak]

the request is rejected because its epoch does not match coordinator-owned membership state.

[Shekharrajak]

• old epoch lower than current -> stale request
• epoch equal to current -> valid request
• previous epoch -> tolerated in Kafka share group logic
• epoch higher than current -> impossible client claim, reject/fence it

[Shekharrajak]

validation : one Kafka transaction can include both a normal output record and share acknowledgements.

[Shekharrajak]

validation : one Kafka transaction can include both a normal output record and share acknowledgements.
This is abort case.

[Shekharrajak]

output stays hidden from read_committed, share lag remains 1, and the input record is redelivered.

[Shekharrajak]

recovered commit .

Client recovery now sets the active transaction owner and marks the transaction as started, so completeTransaction(...) sends EndTxn

[Shekharrajak]

abort flow .

txnOwnerId do not match, so it calls abortTransaction()

[Shekharrajak]

Broker no longer rejects keepPreparedTxn unconditionally

[Shekharrajak]

Client requires InitProducerId v6 when enable2Pc or keepPreparedTxn is set

[Shekharrajak]

Coordinator preserves only existing ONGOING 2PC transactions and returns the ongoing producer id/epoch for recovery.