KAFKA-20743: Restrict sentinel leader and state epoch in share coord. by smjn · Pull Request #22685 · apache/kafka

smjn · 2026-06-26T11:27:39Z

currently in ShareCoordinatorShard the writeState RPC allows negative
leader and state epoch values, readState allows negative
leaderEpoch and initState allows negative stateEpoch.
though these epoch's could never be injected by the client and are
server controlled, still we need to harden them.
the initState call always has the correct stateEpoch (viz groupEpoch)
by virtue of
being called from the group coordinator (both in initializing and
altering offsets).
readState is called from
SharePartition and will always be preceded by initializeState call,
which sets the stateEpoch (non negative). Furthermore, SharePartition
also creates new leaderEpoch per leadership change.
writeState will always be preceded by readState which will have
correctly set the leaderEpoch by virtue of SharePartition. And since
initializeState correctly sets stateEpoch - writes should contain valid
values for both the epochs.
in light of this ShareCoordinatorShard has been tightened.
new tests have been added to verify the change.

AndrewJSchofield

Thanks for the PR. Looks good to me.

KAFKA-20743: Restrict sentinel leader and state epoch in share coord.

a9778e7

github-actions Bot added triage PRs from the community KIP-932 Queues for Kafka labels Jun 26, 2026

update init state

df40b37

smjn requested review from AndrewJSchofield and apoorvmittal10 June 26, 2026 11:47

smjn added ci-approved and removed triage PRs from the community labels Jun 26, 2026

AndrewJSchofield approved these changes Jun 26, 2026

View reviewed changes

apoorvmittal10 approved these changes Jun 26, 2026

View reviewed changes

apoorvmittal10 merged commit cde0d56 into apache:trunk Jun 26, 2026
28 checks passed

Provide feedback