You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have observed, that during unideal circumstances, like Kafka maintenance, network issues or many restarts during high load. There is a possiblity of having multiple activate PartitionFlow for the same partition and therefore multiple snapshot store writers for the same key. In worst case this can lead to newer snapshots being overridden by older snapshots.
On consumer side there is proper partition ownership gauranteed by Kafka, but when a partition is revoked on session timeout, there is a delay until the previous owner gets aware of it and the partition flow is stopped. In this time window there is a risk of introduced data corruption. First when the previous owner polls or commit, it will discover being kicked out.
Scenario
Here is a figure describing what can happen:
sequenceDiagram
autonumber
participant inputTopic
participant nodeA
participant nodeB
participant nodeC
participant snapshotStore
inputTopic-->>+nodeA: assign partition 3
nodeA->>snapshotStore: read
snapshotStore-->>nodeA: state_0
nodeA->>inputTopic: poll events
inputTopic-->>nodeA: seqNr 1 to 5
nodeA->>nodeA: state_5 = state_0 + events seqNr 1 to 5
Note over inputTopic, nodeA: unideal circumstances start,<br/>nodeA revoked from partition 3
inputTopic-->>+nodeB: assign partition 3
nodeB->>snapshotStore: read
snapshotStore-->>nodeB: state_0
nodeB->>inputTopic: poll events
inputTopic-->>nodeB: seqNr 1 to 5
nodeB->>nodeB: state_5 = state_0 + events seqNr 1 to 5
nodeB->>inputTopic: poll events
inputTopic-->>nodeB: seqNr 6 to 10
nodeB->>nodeB: state_10 = state_5 + events seqNr 6 to 10
nodeB->>snapshotStore: write state_10
nodeB->>inputTopic: commit seqNr 10
nodeA->>snapshotStore: ⚠️ write state_5
nodeA->>inputTopic: ❌ commit seqNr 5
inputTopic-->>nodeA: not part of active group
nodeA->>-nodeA: stop partition flow
nodeB->>-nodeB: stop partition flow
inputTopic-->>+nodeC: assign partition 3
nodeC->>snapshotStore: read
snapshotStore-->>nodeC: state_5
nodeC->>inputTopic: poll events
inputTopic-->>nodeC: seqNr 11 to 15
nodeC->>-nodeC: 💥 corrupt = state_5 + events seqNr 11 to 15
Loading
In a very extreme case, similar to the scenario in the figure, I observed that nodeA stopped the partition flow first 45 seconds after nodeB started it, for the same partition. As nodeA does not become aware being kicked out before trying to commit offset (19) and getting an error response (20).
Solution
I don't have any straightforward solution to the problem, but the main issue that needs to be prevented is stale writes. Here are some ideas:
Transactional snapshot write + offset commit
If a snapshot could only be written when the consumer can commit, it would ensure that only the proper partition owner can write.
Transactional snapshot read + snapshot write
If the value in snapshot store is asserted to be the previous, stale writes could be prevented.
Offset tracking in snapshot
If snapshots contained offset, on recovery the lowest offset accross all keys in the partition could be used.
Distributed lock
If partition ownership could be fully exclusive through some lease, multiple writers would be impossible.
Workarounds
In the meanwhile, I would appriciate any ideas for workarounds. The only thing I can I can think of is using static partition assignments, to make it impossible that multiple nodes are active for the same partition.
Description
I have observed, that during unideal circumstances, like Kafka maintenance, network issues or many restarts during high load. There is a possiblity of having multiple activate
PartitionFlowfor the same partition and therefore multiple snapshot store writers for the same key. In worst case this can lead to newer snapshots being overridden by older snapshots.On consumer side there is proper partition ownership gauranteed by Kafka, but when a partition is revoked on session timeout, there is a delay until the previous owner gets aware of it and the partition flow is stopped. In this time window there is a risk of introduced data corruption. First when the previous owner polls or commit, it will discover being kicked out.
Scenario
Here is a figure describing what can happen:
sequenceDiagram autonumber participant inputTopic participant nodeA participant nodeB participant nodeC participant snapshotStore inputTopic-->>+nodeA: assign partition 3 nodeA->>snapshotStore: read snapshotStore-->>nodeA: state_0 nodeA->>inputTopic: poll events inputTopic-->>nodeA: seqNr 1 to 5 nodeA->>nodeA: state_5 = state_0 + events seqNr 1 to 5 Note over inputTopic, nodeA: unideal circumstances start,<br/>nodeA revoked from partition 3 inputTopic-->>+nodeB: assign partition 3 nodeB->>snapshotStore: read snapshotStore-->>nodeB: state_0 nodeB->>inputTopic: poll events inputTopic-->>nodeB: seqNr 1 to 5 nodeB->>nodeB: state_5 = state_0 + events seqNr 1 to 5 nodeB->>inputTopic: poll events inputTopic-->>nodeB: seqNr 6 to 10 nodeB->>nodeB: state_10 = state_5 + events seqNr 6 to 10 nodeB->>snapshotStore: write state_10 nodeB->>inputTopic: commit seqNr 10 nodeA->>snapshotStore: ⚠️ write state_5 nodeA->>inputTopic: ❌ commit seqNr 5 inputTopic-->>nodeA: not part of active group nodeA->>-nodeA: stop partition flow nodeB->>-nodeB: stop partition flow inputTopic-->>+nodeC: assign partition 3 nodeC->>snapshotStore: read snapshotStore-->>nodeC: state_5 nodeC->>inputTopic: poll events inputTopic-->>nodeC: seqNr 11 to 15 nodeC->>-nodeC: 💥 corrupt = state_5 + events seqNr 11 to 15In a very extreme case, similar to the scenario in the figure, I observed that
nodeAstopped the partition flow first 45 seconds afternodeBstarted it, for the same partition. AsnodeAdoes not become aware being kicked out before trying to commit offset (19) and getting an error response (20).Solution
I don't have any straightforward solution to the problem, but the main issue that needs to be prevented is stale writes. Here are some ideas:
If a snapshot could only be written when the consumer can commit, it would ensure that only the proper partition owner can write.
If the value in snapshot store is asserted to be the previous, stale writes could be prevented.
If snapshots contained offset, on recovery the lowest offset accross all keys in the partition could be used.
If partition ownership could be fully exclusive through some lease, multiple writers would be impossible.
Workarounds
In the meanwhile, I would appriciate any ideas for workarounds. The only thing I can I can think of is using static partition assignments, to make it impossible that multiple nodes are active for the same partition.