Reset stored offset on assign() and prevent offsets_store() for unassigned partitions

Author: edenhill

CHANGELOG.md

@@ -6,6 +6,26 @@ librdkafka v1.9.0 is a feature release:
  * Added KIP-140 Admin API ACL support (by @emasab, #2676)
 
 
+## Upgrade considerations
+
+ * Consumer:
+   `rd_kafka_offsets_store()` (et.al) will now return an error for any
+   partition that is not currently assigned (through `rd_kafka_*assign()`).
+   This prevents a race condition where an application would store offsets
+   after the assigned partitions had been revoked (which resets the stored
+   offset), that could cause these old stored offsets to be committed later
+   when the same partitions were assigned to this consumer again - effectively
+   overwriting any committed offsets by any consumers that were assigned the
+   same partitions previously. This would typically result in the offsets
+   rewinding and messages to be reprocessed.
+   As an extra effort to avoid this situation the stored offset is now
+   also reset when partitions are assigned (through `rd_kafka_*assign()`).
+   Applications that explicitly call `..offset*_store()` will now need
+   to handle the case where `RD_KAFKA_RESP_ERR__STATE` is returned
+   in the per-partition `.err` field - meaning the partition is no longer
+   assigned to this consumer and the offset could not be stored for commit.
+
+
 ## Enhancements
 
  * Windows: Added native Win32 IO/Queue scheduling. This removes the
@@ -43,6 +63,11 @@ librdkafka v1.9.0 is a feature release:
 
 ### Consumer fixes
 
+ * `rd_kafka_offsets_store()` (et.al) will now return an error for any
+   partition that is not currently assigned (through `rd_kafka_*assign()`).
+   See **Upgrade considerations** above for more information.
+ * `rd_kafka_*assign()` will now reset/clear the stored offset.
+   See **Upgrade considerations** above for more information.
  * A `ERR_MSG_SIZE_TOO_LARGE` consumer error would previously be raised
    if the consumer received a maximum sized FetchResponse only containing
    (transaction) aborted messages with no control messages. The fetching did

src/rdkafka.h

@@ -3824,6 +3824,11 @@ int rd_kafka_consume_callback_queue(
  * The \c offset + 1 will be committed (written) to broker (or file) according
  * to \c `auto.commit.interval.ms` or manual offset-less commit()
  *
+ * @warning This method may only be called for partitions that are currently
+ *          assigned.
+ *          Non-assigned partitions will fail with RD_KAFKA_RESP_ERR__STATE.
+ *          Since v1.9.0.
+ *
  * @remark \c `enable.auto.offset.store` must be set to "false" when using
  *         this API.
  *
@@ -3841,18 +3846,23 @@ rd_kafka_offset_store(rd_kafka_topic_t *rkt, int32_t partition, int64_t offset);
  * to \c `auto.commit.interval.ms` or manual offset-less commit().
  *
  * Per-partition success/error status propagated through each partition's
- * \c .err field.
+ * \c .err for all return values (even NO_ERROR) except INVALID_ARG.
+ *
+ * @warning This method may only be called for partitions that are currently
+ *          assigned.
+ *          Non-assigned partitions will fail with RD_KAFKA_RESP_ERR__STATE.
+ *          Since v1.9.0.
  *
  * @remark The \c .offset field is stored as is, it will NOT be + 1.
  *
  * @remark \c `enable.auto.offset.store` must be set to "false" when using
  *         this API.
  *
- * @returns RD_KAFKA_RESP_ERR_NO_ERROR on success, or
- *          RD_KAFKA_RESP_ERR__UNKNOWN_PARTITION if none of the
- *          offsets could be stored, or
+ * @returns RD_KAFKA_RESP_ERR_NO_ERROR on (partial) success, or
  *          RD_KAFKA_RESP_ERR__INVALID_ARG if \c enable.auto.offset.store
- *          is true.
+ *          is true, or
+ *          RD_KAFKA_RESP_ERR__UNKNOWN_PARTITION or RD_KAFKA_RESP_ERR__STATE
+ *          if none of the offsets could be stored.
  */
 RD_EXPORT rd_kafka_resp_err_t
 rd_kafka_offsets_store(rd_kafka_t *rk,

src/rdkafka_assignment.c

@@ -342,11 +342,15 @@ static int rd_kafka_assignment_serve_removals(rd_kafka_t *rk) {
                  * a manual offset-less commit() or the auto-committer
                  * will not commit a stored offset from a previous
                  * assignment (issue #2782). */
-                rd_kafka_offset_store0(rktp, RD_KAFKA_OFFSET_INVALID,
+                rd_kafka_offset_store0(rktp, RD_KAFKA_OFFSET_INVALID, rd_true,
                                        RD_DONT_LOCK);
 
                 /* Partition is no longer desired */
                 rd_kafka_toppar_desired_del(rktp);
+
+                rd_assert((rktp->rktp_flags & RD_KAFKA_TOPPAR_F_ASSIGNED));
+                rktp->rktp_flags &= ~RD_KAFKA_TOPPAR_F_ASSIGNED;
+
                 rd_kafka_toppar_unlock(rktp);
 
                 rd_kafka_dbg(rk, CGRP, "REMOVE",
@@ -713,6 +717,28 @@ rd_kafka_assignment_add(rd_kafka_t *rk,
                 rd_kafka_topic_partition_ensure_toppar(rk, rktpar, rd_true);
         }
 
+        /* Mark all partition objects as assigned and reset the stored
+         * offsets back to invalid in case it was explicitly stored during
+         * the time the partition was not assigned. */
+        for (i = 0; i < partitions->cnt; i++) {
+                rd_kafka_topic_partition_t *rktpar = &partitions->elems[i];
+                rd_kafka_toppar_t *rktp =
+                    rd_kafka_topic_partition_ensure_toppar(rk, rktpar, rd_true);
+
+                rd_kafka_toppar_lock(rktp);
+
+                rd_assert(!(rktp->rktp_flags & RD_KAFKA_TOPPAR_F_ASSIGNED));
+                rktp->rktp_flags |= RD_KAFKA_TOPPAR_F_ASSIGNED;
+
+                /* Reset the stored offset to INVALID to avoid the race
+                 * condition described in rdkafka_offset.h */
+                rd_kafka_offset_store0(rktp, RD_KAFKA_OFFSET_INVALID,
+                                       rd_true /* force */, RD_DONT_LOCK);
+
+                rd_kafka_toppar_unlock(rktp);
+        }
+
+
         /* Add the new list of partitions to the current assignment.
          * Only need to sort the final assignment if it was non-empty
          * to begin with since \p partitions is sorted above. */

src/rdkafka_offset.c

@@ -636,6 +636,7 @@ rd_kafka_resp_err_t rd_kafka_offset_store(rd_kafka_topic_t *app_rkt,
                                           int64_t offset) {
         rd_kafka_topic_t *rkt = rd_kafka_topic_proper(app_rkt);
         rd_kafka_toppar_t *rktp;
+        rd_kafka_resp_err_t err;
 
         /* Find toppar */
         rd_kafka_topic_rdlock(rkt);
@@ -645,19 +646,21 @@ rd_kafka_resp_err_t rd_kafka_offset_store(rd_kafka_topic_t *app_rkt,
         }
         rd_kafka_topic_rdunlock(rkt);
 
-        rd_kafka_offset_store0(rktp, offset + 1, 1 /*lock*/);
+        err = rd_kafka_offset_store0(rktp, offset + 1,
+                                     rd_false /* Don't force */, RD_DO_LOCK);
 
         rd_kafka_toppar_destroy(rktp);
 
-        return RD_KAFKA_RESP_ERR_NO_ERROR;
+        return err;
 }
 
 
 rd_kafka_resp_err_t
 rd_kafka_offsets_store(rd_kafka_t *rk,
                        rd_kafka_topic_partition_list_t *offsets) {
         int i;
-        int ok_cnt = 0;
+        int ok_cnt                   = 0;
+        rd_kafka_resp_err_t last_err = RD_KAFKA_RESP_ERR_NO_ERROR;
 
         if (rk->rk_conf.enable_auto_offset_store)
                 return RD_KAFKA_RESP_ERR__INVALID_ARG;
@@ -670,19 +673,23 @@ rd_kafka_offsets_store(rd_kafka_t *rk,
                     rd_kafka_topic_partition_get_toppar(rk, rktpar, rd_false);
                 if (!rktp) {
                         rktpar->err = RD_KAFKA_RESP_ERR__UNKNOWN_PARTITION;
+                        last_err    = rktpar->err;
                         continue;
                 }
 
-                rd_kafka_offset_store0(rktp, rktpar->offset, 1 /*lock*/);
+                rktpar->err = rd_kafka_offset_store0(rktp, rktpar->offset,
+                                                     rd_false /* don't force */,
+                                                     RD_DO_LOCK);
                 rd_kafka_toppar_destroy(rktp);
 
-                rktpar->err = RD_KAFKA_RESP_ERR_NO_ERROR;
-                ok_cnt++;
+                if (rktpar->err)
+                        last_err = rktpar->err;
+                else
+                        ok_cnt++;
         }
 
-        return offsets->cnt > 0 && ok_cnt == 0
-                   ? RD_KAFKA_RESP_ERR__UNKNOWN_PARTITION
-                   : RD_KAFKA_RESP_ERR_NO_ERROR;
+        return offsets->cnt > 0 && ok_cnt == 0 ? last_err
+                                               : RD_KAFKA_RESP_ERR_NO_ERROR;
 }
 
 
@@ -1044,7 +1051,7 @@ rd_kafka_resp_err_t rd_kafka_offset_store_stop(rd_kafka_toppar_t *rktp) {
             rktp->rktp_stored_offset == RD_KAFKA_OFFSET_INVALID &&
             rktp->rktp_offsets_fin.eof_offset > 0)
                 rd_kafka_offset_store0(rktp, rktp->rktp_offsets_fin.eof_offset,
-                                       0 /*no lock*/);
+                                       rd_true /* force */, RD_DONT_LOCK);
 
         /* Commit offset to backing store.
          * This might be an async operation. */

src/rdkafka_offset.h

@@ -36,19 +36,71 @@ const char *rd_kafka_offset2str(int64_t offset);
 
 
 /**
- * Stores the offset for the toppar 'rktp'.
- * The actual commit of the offset to backing store is usually
- * performed at a later time (time or threshold based).
+ * @brief Stores the offset for the toppar 'rktp'.
+ *        The actual commit of the offset to backing store is usually
+ *        performed at a later time (time or threshold based).
+ *
+ * For the high-level consumer (assign()), this function will reject absolute
+ * offsets if the partition is not currently assigned, unless \p force is set.
+ * This check was added to avoid a race condition where an application
+ * would call offsets_store() after the partitions had been revoked, forcing
+ * a future auto-committer on the next assignment to commit this old offset and
+ * overwriting whatever newer offset was committed by another consumer.
+ *
+ * The \p force flag is useful for internal calls to offset_store0() which
+ * do not need the protection described above.
+ *
+ *
+ * There is one situation where the \p force flag is troublesome:
+ * If the application is using any of the consumer batching APIs,
+ * e.g., consume_batch() or the event-based consumption, then it's possible
+ * that while the batch is being accumulated or the application is picking off
+ * messages from the event a rebalance occurs (in the background) which revokes
+ * the current assignment. This revokal will remove all queued messages, but
+ * not the ones the application already has accumulated in the event object.
+ * Enforcing assignment for store in this state is tricky with a bunch of
+ * corner cases, so instead we let those places forcibly store the offset, but
+ * then in assign() we reset the stored offset to .._INVALID, just like we do
+ * on revoke.
+ * Illustrated (with fix):
+ *   1. ev = rd_kafka_queue_poll();
+ *   2. background rebalance revoke unassigns the partition and sets the
+ *      stored offset to _INVALID.
+ *   3. application calls message_next(ev) which forcibly sets the
+ *      stored offset.
+ *   4. background rebalance assigns the partition again, but forcibly sets
+ *      the stored offset to .._INVALID to provide a clean state.
+ *
+ * @param offset Offset to set, may be an absolute offset or .._INVALID.
+ * @param force Forcibly set \p offset regardless of assignment state.
+ * @param do_lock Whether to lock the \p rktp or not (already locked by caller).
  *
  * See head of rdkafka_offset.c for more information.
+ *
+ * @returns RD_KAFKA_RESP_ERR__STATE if the partition is not currently assigned,
+ *          unless \p force is set.
  */
-static RD_INLINE RD_UNUSED void
-rd_kafka_offset_store0(rd_kafka_toppar_t *rktp, int64_t offset, int lock) {
-        if (lock)
+static RD_INLINE RD_UNUSED rd_kafka_resp_err_t
+rd_kafka_offset_store0(rd_kafka_toppar_t *rktp,
+                       int64_t offset,
+                       rd_bool_t force,
+                       rd_dolock_t do_lock) {
+        rd_kafka_resp_err_t err = RD_KAFKA_RESP_ERR_NO_ERROR;
+
+        if (do_lock)
                 rd_kafka_toppar_lock(rktp);
-        rktp->rktp_stored_offset = offset;
-        if (lock)
+
+        if (unlikely(!force && !RD_KAFKA_OFFSET_IS_LOGICAL(offset) &&
+                     !(rktp->rktp_flags & RD_KAFKA_TOPPAR_F_ASSIGNED) &&
+                     !rd_kafka_is_simple_consumer(rktp->rktp_rkt->rkt_rk)))
+                err = RD_KAFKA_RESP_ERR__STATE;
+        else
+                rktp->rktp_stored_offset = offset;
+
+        if (do_lock)
                 rd_kafka_toppar_unlock(rktp);
+
+        return err;
 }
 
 rd_kafka_resp_err_t

src/rdkafka_op.c

@@ -897,6 +897,8 @@ void rd_kafka_op_offset_store(rd_kafka_t *rk, rd_kafka_op_t *rko) {
         rd_kafka_toppar_lock(rktp);
         rktp->rktp_app_offset = offset;
         if (rk->rk_conf.enable_auto_offset_store)
-                rd_kafka_offset_store0(rktp, offset, 0 /*no lock*/);
+                rd_kafka_offset_store0(rktp, offset,
+                                       /* force: ignore assignment state */
+                                       rd_true, RD_DONT_LOCK);
         rd_kafka_toppar_unlock(rktp);
 }

src/rdkafka_partition.h

@@ -344,6 +344,9 @@ struct rd_kafka_toppar_s {                           /* rd_kafka_toppar_t */
 #define RD_KAFKA_TOPPAR_F_ON_DESP 0x400  /**< On rkt_desp list */
 #define RD_KAFKA_TOPPAR_F_ON_CGRP 0x800  /**< On rkcg_toppars list */
 #define RD_KAFKA_TOPPAR_F_ON_RKB  0x1000 /**< On rkb_toppars list */
+#define RD_KAFKA_TOPPAR_F_ASSIGNED                                             \
+        0x2000 /**< Toppar is part of the consumer                             \
+                *   assignment. */
 
         /*
          * Timers