implement exactly-once commits to Kafka sinks and read_committed reads to Kafka sources.

[jacksonrnewhouse]

Using the transactional kafka APIs we now support putting writing to Kafka via transactions. For each subtask a new kafka producer is created on each checkpoint, which writes all of the data within the checkpoint for that subtask in one transaction. When a checkpoint barrier is received it will switch initialize a new producer, while keeping the old one around for a commit message.

Currently we don't support recovering if the pipeline is interrupted after the checkpoints have been created but before the checkpoint is committed. The semantics of this are pretty tricky and there are a number of approaches with various safety and reliability tradeoffs. Flink, for instance, interrogates the internal transaction state from __transaction_state and then uses reflection to rebuild internal state. I don't think this is an option given the libraries we're using. Another approach that should work is to reliably determine if the previous transaction was successfully committed and, if not, replay the data by reading the uncommitted records off of kafka into a new commit. This will require careful management of active transactions, as Kafka doesn't directly expose the commit state of prior transaction.

I've also added the ability to only have our Kafka sources read committed data, via read_mode values of read_uncommitted and read_committed.

I'd appreciate feedback on the naming of the parameters? For things like kafka configs, should we be using the same names as the underlying service, maybe prefixed by the service? In our case, this'd mean that instead of read_mode we use kafka.isolation.level.

[mwylde]

I believe this is a breaking change that will make existing kafka sources unusable. Can we make it not required and use read_uncommitted as the default value when we use it?

If that's not possible, perhaps it would make sense to include a DB migration that adds this field to existing kafka connections.

[mwylde]

I think this description could be expanded a bit to say that this enables transactional semantics and requires that transactional support be enabled in Kafka

[mwylde]

I think this should be source.read_mode and sink.commit_mode to match the json and the existing source.offset config.

As far as the actual names I'm a bit torn—I do think "read_mode" is a better name than "isolation.level" but there's also benefit in using the existing terminology

[jacksonrnewhouse]

Going with source.read_mode and sink.commit_mode for now.

[mwylde]

same here — is it possible to make it not required and use a default?

[mwylde]

I believe you mentioned that transactional support needs to be enabled in the broker for this to work. If it's not, how does the error manifest? Ideally we'd get that back to the user using the error reporting system: https://github.com/ArroyoSystems/arroyo/blob/master/arroyo-worker/src/engine.rs#L471

[jacksonrnewhouse]

No, that conversation we had was just that if you're running kafka locally you need some additional settings. In docker-compose.yaml it looks like

      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
      KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 1
      KAFKA_MIN_INSYNC_REPLICAS: 1
      KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1

This converts to settings in /etc/kafka/kafka.properties like

offsets.topic.replication.factor=1
transaction.state.log.replication.factor=1
min.insync.replicas=1
transaction.state.log.min.isr=1

Transactions have been in kafka since 0.11 from 2017, so I don't think it is worth having a lot of checks for that.

[mwylde]

should this include the topic as well?

[jacksonrnewhouse]

Sure, seems reasonable.

[mwylde]

What's the implication of settings this to Timeout::Never?

[jacksonrnewhouse]

This means it will block without a timeout. Happy to switch to a different timeout, or have it be configurable.

[mwylde]

Should this panic if we fail all 5 attempts?

[jacksonrnewhouse]

doh