KAFKA-20066: Assignment epochs for consumer groups

[lucliu1108]

Summary

This PR is an implementation of KIP-1251:
https://cwiki.apache.org/confluence/display/KAFKA/KIP-1251%3A+Assignment+epochs+for+consumer+groups
This change introduces per-partition assignment epochs to relax the
strict member epoch validation for consumer group offset commits. When
receiving an offset commit request that includes the client-side member
epoch and a member ID, we previously require checking

clientEpoch == brokerEpoch

for a valid offset commit, which could lead to false fencing.

We now allow a relaxed offset commit check using an assignment epoch for
each assigned partition and each member,

assignmentEpoch <= clientEpoch <= brokerEpoch

This prevents false rejections of legitimate offset commits when a
member's epoch is bumped but the client hasn't received the update yet.

Changes

• Add AssignmentEpochs field to TopicPartitions in
  ConsumerGroupCurrentMemberAssignmentValue schema
• Add assignedPartitionsWithEpochs and
  partitionsPendingRevocationWithEpochs to ConsumerGroupMember
• Update ConsumerGroup.validateOffsetCommit() with relaxed
  validation logic
• Add createAssignmentEpochValidator() for per-partition epoch
  checks
• Update GroupCoordinatorRecordHelpers to serialize assignment
  epochs
• Update GroupMetadataManager to reset assignment epoch when leaving
  group for static members

Reviewers: @lucasbru

[dajac]

cc @squah-confluent

[Copilot]

Pull request overview

Implements KIP-1251 assignment epochs for modern consumer groups to relax offset-commit fencing by validating commits against per-partition assignment epochs rather than requiring a strict member-epoch match.

Changes:

• Extends the ConsumerGroupCurrentMemberAssignmentValue schema to persist per-partition assignment epochs alongside assigned partitions.
• Adds epoch-annotated assignment tracking to ConsumerGroupMember and serializes it via GroupCoordinatorRecordHelpers.
• Updates ConsumerGroup.validateOffsetCommit() to allow assignmentEpoch <= clientEpoch <= brokerEpoch using a per-partition validator when epochs don’t strictly match.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
group-coordinator/src/main/resources/common/message/ConsumerGroupCurrentMemberAssignmentValue.json	Adds per-partition AssignmentEpochs field aligned with the partitions array.
group-coordinator/src/main/java/org/apache/kafka/coordinator/group/modern/consumer/ConsumerGroupMember.java	Introduces epoch-annotated assignment maps + accessors and builder support (incl. reset to zero).
group-coordinator/src/main/java/org/apache/kafka/coordinator/group/modern/consumer/ConsumerGroup.java	Relaxes offset-commit epoch validation and adds per-partition assignment-epoch validator.
group-coordinator/src/main/java/org/apache/kafka/coordinator/group/GroupMetadataManager.java	Resets assignment epochs for departing static members and clears pending-revocation epochs.
group-coordinator/src/main/java/org/apache/kafka/coordinator/group/GroupCoordinatorRecordHelpers.java	Serializes assignment epochs into coordinator records.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

setAssignedPartitionsWithEpochs / setPartitionsPendingRevocationWithEpochs keep the Set-based fields in sync, but the Builder still also has the older setAssignedPartitions(...) and setPartitionsPendingRevocation(...) setters. Given GroupCoordinatorRecordHelpers now serializes assignedPartitionsWithEpochs()/partitionsPendingRevocationWithEpochs(), any code path that uses the older setters (without also setting the epoch maps) can drop epoch information and even persist empty assignments. Consider enforcing invariants in build() (e.g., derive epoch maps when missing), or deprecating/removing the Set-based setters to prevent constructing an internally inconsistent ConsumerGroupMember.

[Copilot]

newConsumerGroupCurrentAssignmentRecord now exclusively serializes member.assignedPartitionsWithEpochs()/partitionsPendingRevocationWithEpochs(). If those maps are empty while the Set-based assignment fields are populated (possible via existing Builder setters), this will write records with empty assignments and effectively lose the current assignment on disk. Consider adding a defensive fallback (e.g., derive epoch maps from assignedPartitions()/partitionsPendingRevocation() with a sensible default epoch) or validate/throw if the member is internally inconsistent before serializing.

[Copilot]

Grammar in this comment is off: consider changing "For member using the classic protocol" to "For members using the classic protocol" (or "For a member using...") for clarity.

[Copilot]

Minor comment formatting: add a space after the colon in "Case 2:Client".

Suggested change

	// Case 2:Client epoch > broker epoch, which is an invalid request
	// Case 2: Client epoch > broker epoch, which is an invalid request

[Copilot]

The new relaxed offset-commit validation path (returning a per-partition validator when receivedMemberEpoch < broker member epoch) doesn’t appear to be covered by unit tests. It would be useful to add ConsumerGroupTest cases that (1) accept commits when assignmentEpoch <= receivedEpoch < brokerEpoch for assigned/pending-revocation partitions, and (2) reject commits when the partition isn’t assigned or when receivedEpoch < assignmentEpoch, to prevent regressions in the new behavior.

[Copilot]

Import order looks inconsistent with the rest of the module: java.util.stream.Collectors is currently placed between java.util.ArrayList and java.util.Collections. Other files keep java.util.* imports together and place java.util.stream.* afterwards (e.g., Utils.java:36-49). Please reorder these imports to match the established style (this may also be enforced by Checkstyle).

[lucasbru]

Thanks for the PR @lucliu1108 !

I left some comments. I think the biggest one to me is right now that we should not have two collections representing the assigned partitions in ConsumerGroupMember.

I guess this is meant as a draft, we will not be able to merge this without tests. Ideally, we merge it as a series of smaller PRs. But it can make sense to create one draft PR with everything first for the conceptual review, and then split it up into a couple smaller PRs in the final merge.

[lucasbru]

Why are we adding assignedPartitionsWithEpochs in addition to assignedPartitions? This will get out of sync. I think we should just have the second, and replace all uses of assignedPartitions with assignedPartitionsWithEpochs.

[lucliu1108]

I have removed all setters for assignedPartitions and partitionsPendingRevocation, but still keep the getters and as private fields to avoid redundant conversions in other methods that previously call these getters.

Since these private fields will be re-constructed every time the builder is called to set assignedPartitionsWithEpochs and partitionsRevocationsWithEpochs, the getters won't be async.

[lucasbru]

I think this makes sense - are there so many places that require assignedPartitions and partitionsPendingRevocation that we cannot convert the calling context to use the map instead of the set? Or do we require it because of the sharing with the share group?

I wonder if it could be worth implementing a view on the keySet to avoid the second collection here, as it's probably one of the larger collections in the GC.

[lucliu1108]

For the assignedPartitions, it is part of the fields inherited from ModernGroupMember that ShareGroupMember also uses, so i left it there for the getter method.
Or another way is not to initialize it in the constructor (keep it null?) but maybe this is not good practice.

For the. partitionsPendingRevocation, there are 6 or 7 places it is directly called. Guess I could remove this method and do extra conversions for where its' called instead, or use a view.

[lucasbru]

It seems we also need to update the dynamic member leave code. We seem to set setAssignedPartitions there.

[lucasbru]

Above, we are allowing committing unassigned partitions if the "strict epoch match" passes, that is client-side member epoch = server-side member epoch.

Then this error message is probably not sufficient as a reason. We should also include that the client-side member epoch != server-side member epoch in this error.

[squah-confluent]

I'm in favor of aligning with the streams implementation as much as possible. Streams has the same pattern and uses the message Task %s-%d is not assigned or pending revocation for member.. Shall we update the streams message too (in a separate PR maybe)?

[lucasbru]

Sound good!

[lucasbru]

On a high level, this makes sense to me. I left a comment, but you can definitely work on the tests

[lucasbru]

why getOrDefault and not just get

[lucasbru]

I think this makes sense - are there so many places that require assignedPartitions and partitionsPendingRevocation that we cannot convert the calling context to use the map instead of the set? Or do we require it because of the sharing with the share group?

I wonder if it could be worth implementing a view on the keySet to avoid the second collection here, as it's probably one of the larger collections in the GC.

[lucasbru]

If an partition was pending revocation, and is added back to the target assignment of the member, it seems we want to keep the original assignment epoch. So we have to look at member.partitionPendingRevociations here as well, no?