Back to Resources

Exactly-Once Semantics in Kafka Streams: A Deep Dive into EOS v2

16 min read
Goh Ling Yong
Technology enthusiast and software architect specializing in AI-driven development tools and modern software engineering practices. Passionate about the intersection of artificial intelligence and human creativity in building tomorrow's digital solutions.

Beyond the Configuration: Unpacking `exactly_once_v2`

For any senior engineer building critical event-driven systems, ensuring data integrity is non-negotiable. While at-least-once delivery is often sufficient for telemetry or logging, financial ledgers, e-commerce order processing, or IoT command systems demand a stronger guarantee: Exactly-Once Semantics (EOS). Simply setting processing.guarantee=exactly_once_v2 in your Kafka Streams application is the first step, but it's a dangerous abstraction if you don't understand the intricate machinery working underneath.

This post is not an introduction. It assumes you are familiar with Kafka Streams topologies, state stores, and the fundamental differences between at-most-once, at-least-once, and exactly-once processing. We will deconstruct the exactly_once_v2 guarantee, examining its three core pillars: idempotent producers, atomic transactions, and the mechanisms Kafka Streams employs to orchestrate them. Our focus will be on production patterns, particularly how to handle stateful operations and, most critically, how to manage side effects with external systems without breaking the EOS promise.

We will build a stateful transaction aggregation application, demonstrate the fatal flaw of naively interacting with external databases, and then implement a production-grade solution using the Transactional Outbox pattern. Finally, we'll dissect advanced failure scenarios like "zombie instances" and the crucial role of fencing in maintaining data integrity during rebalances.

The Three Pillars of EOS in Kafka

Kafka's EOS is not a single feature but a synergy of three distinct components working in concert. exactly_once_v2 (introduced in Kafka 2.5 and the current standard) refines this process, making it more efficient and robust than its predecessor.

Pillar 1: The Idempotent Producer

Idempotence is the foundation upon which transactions are built. It solves the problem of duplicate messages caused by producer retries. When a producer sends a message, it might not receive an acknowledgment due to a transient network issue, even if the broker successfully wrote the message. A naive retry would create a duplicate.

The idempotent producer prevents this by assigning a unique Producer ID (PID) and a monotonically increasing sequence number to each message sent to a specific topic-partition.

Configuration:

java
// Producer properties
props.put(ProducerConfig.ENABLE_IDEMPOTENCE_CONFIG, "true");
// The following are defaults when idempotence is enabled, but shown for clarity
props.put(ProducerConfig.ACKS_CONFIG, "all");
props.put(ProducerConfig.RETRIES_CONFIG, Integer.toString(Integer.MAX_VALUE));

Under the Hood:

  • PID Assignment: On initialization, the producer is assigned a unique, persistent PID by the broker.
  • Sequence Numbering: For each message sent to a partition, the producer increments a sequence number. The broker tracks the highest sequence number successfully written for each (PID, topic-partition) pair.
  • Duplicate Rejection: If the broker receives a message with a sequence number less than or equal to the one it has already logged for that PID, it discards the message but returns a successful acknowledgment to the producer. This ensures the retry succeeds without creating a duplicate record.

    • This guarantees exactly-once delivery per partition on producer retries. However, it does not guarantee atomicity across multiple partitions or within a consumer-process-produce workflow. That's where transactions come in.

    Pillar 2: The Transactional API

    Kafka transactions allow you to group a set of produced messages and consumer offset commits into a single atomic unit. This is the core of the "read-process-write" atomicity required by Kafka Streams.

    Key Concepts:

    * Transactional ID (transactional.id): This is a unique ID provided by the producer application. It allows the broker to maintain transaction state across producer restarts. A producer instance with the same transactional.id can resume or abort the transaction of a previous, failed instance.

    * Transaction Coordinator: A dedicated broker process that manages the state of transactions. It tracks the status (Ongoing, PrepareCommit, Committed, Aborted) for each transactional.id.

    * Control Messages: The coordinator writes special COMMIT or ABORT markers to the log. These markers are invisible to most consumers but signal the outcome of the transaction.

    * Consumer Isolation Level: Consumers must be configured with isolation.level=read_committed to ensure they only read messages that are part of a completed, successful transaction. They will buffer messages that are part of an open transaction and will discard messages from aborted transactions.

    Pillar 3: Kafka Streams Integration (`exactly_once_v2`)

    Kafka Streams masterfully orchestrates these components. When you set processing.guarantee=exactly_once_v2, the framework handles the entire transactional lifecycle for each record it processes.

    Here's what happens for each message that flows through your topology:

  • Begin Transaction: Kafka Streams calls producer.beginTransaction().
  • Read & Process: The message is read from the source topic and processed by your topology nodes (e.g., map, filter, groupBy).
  • Update State Stores: Any changes to state stores are written to their local disk instance and tracked in their associated changelog topics. These changelog topic writes are part of the ongoing transaction.
  • Produce Output: Any messages sent to downstream sink topics are produced via the transactional producer.
  • Commit Offsets: The offsets of the consumed source topic messages are sent to the transaction coordinator to be included in the transaction.
  • Commit Transaction: Kafka Streams calls producer.commitTransaction(). The transaction coordinator executes a 2-phase commit protocol. It writes a PREPARE_COMMIT marker to the transaction log, then writes the COMMIT markers to the user topic partitions and the consumer offsets topic. Finally, it marks the transaction as COMMITTED.

    • If any step fails (e.g., the application crashes before committing), the transaction is aborted. On restart, the application resumes from the last successfully committed offset, ensuring no data is lost and no partial results are visible downstream.

    Production Scenario: Stateful Transaction Aggregation

    Let's build a service that aggregates user transaction amounts in real-time. We'll read from a raw-transactions topic, maintain a running balance in a state store, and output the updated balance to an aggregated-balances topic.

    Dependencies (Maven):

    xml
    <dependency>
    <groupId>org.apache.kafka</groupId>
    <artifactId>kafka-streams</artifactId>
    <version>3.4.0</version>
</dependency>

    The Topology:

    java
    import org.apache.kafka.common.serialization.Serdes;
import org.apache.kafka.streams.KafkaStreams;
import org.apache.kafka.streams.StreamsBuilder;
import org.apache.kafka.streams.StreamsConfig;
import org.apache.kafka.streams.Topology;
import org.apache.kafka.streams.kstream.*;
import org.apache.kafka.streams.state.KeyValueStore;
import org.apache.kafka.common.utils.Bytes;

import java.util.Properties;

// Assuming simple JSON Serdes are configured elsewhere for Transaction and Balance classes
// For brevity, we'll use Serdes.String() and Serdes.Double()

public class BalanceAggregator {

    public static final String RAW_TRANSACTIONS_TOPIC = "raw-transactions";
    public static final String AGGREGATED_BALANCES_TOPIC = "aggregated-balances";
    public static final String BALANCE_STORE_NAME = "balance-store";

    public static void main(String[] args) {
        Properties props = new Properties();
        props.put(StreamsConfig.APPLICATION_ID_CONFIG, "balance-aggregator-v1");
        props.put(StreamsConfig.BOOTSTRAP_SERVERS_CONFIG, "localhost:9092");
        props.put(StreamsConfig.DEFAULT_KEY_SERDE_CLASS_CONFIG, Serdes.String().getClass());
        props.put(StreamsConfig.DEFAULT_VALUE_SERDE_CLASS_CONFIG, Serdes.Double().getClass());

        // Enable Exactly-Once Semantics v2
        props.put(StreamsConfig.PROCESSING_GUARANTEE_CONFIG, StreamsConfig.EXACTLY_ONCE_V2);
        // Increase commit interval to batch more records per transaction
        props.put(StreamsConfig.COMMIT_INTERVAL_MS_CONFIG, 1000);

        Topology topology = createTopology();
        KafkaStreams streams = new KafkaStreams(topology, props);

        Runtime.getRuntime().addShutdownHook(new Thread(streams::close));
        streams.start();
    }

    public static Topology createTopology() {
        StreamsBuilder builder = new StreamsBuilder();

        // Input: Key=userId (String), Value=transactionAmount (Double)
        KStream<String, Double> transactions = builder.stream(RAW_TRANSACTIONS_TOPIC);

        KTable<String, Double> balances = transactions
            .groupByKey()
            .aggregate(
                () -> 0.0, // Initializer
                (userId, transactionAmount, currentBalance) -> currentBalance + transactionAmount, // Aggregator
                Materialized.<String, Double, KeyValueStore<Bytes, byte[]>>as(BALANCE_STORE_NAME)
                    .withKeySerde(Serdes.String())
                    .withValueSerde(Serdes.Double())
            );

        balances.toStream().to(AGGREGATED_BALANCES_TOPIC, Produced.with(Serdes.String(), Serdes.Double()));

        return builder.build();
    }
}

    In this setup, the atomicity is guaranteed within Kafka. The consumption from raw-transactions, the update to the balance-store state store (and its underlying changelog topic), and the production to aggregated-balances all happen in a single transaction. If the application crashes after updating the state store but before producing the output message, the entire transaction will be aborted on restart, and the input message will be reprocessed correctly.

    The Achilles' Heel: Interacting with External Systems

    Now, let's introduce a common production requirement: for every balance update that crosses a certain threshold, we must send an alert to an external system, for example, by writing a record to a relational database.

    A Naive (and Incorrect) Approach:

    One might be tempted to modify the topology like this:

    java
    // DO NOT DO THIS IN PRODUCTION
balances.toStream()
    .peek((userId, newBalance) -> {
        if (newBalance > 10000.0) {
            // DatabaseClient is a hypothetical JDBC client
            DatabaseClient.writeAlert("User " + userId + " balance exceeds 10k: " + newBalance);
        }
    })
    .to(AGGREGATED_BALANCES_TOPIC, Produced.with(Serdes.String(), Serdes.Double()));

    Why this breaks EOS:

    The DatabaseClient.writeAlert() call is an external side effect that occurs outside the Kafka transaction. Consider this failure scenario:

    • The database alert is successfully written.
  • The application crashes before commitTransaction() is called.
    • On restart, Kafka Streams aborts the previous transaction.
    • It resumes processing from the last committed offset, re-processing the same transaction message.
  • The balance is re-calculated, the threshold is crossed again, and DatabaseClient.writeAlert() is called a second time, creating a duplicate alert.

    • This breaks our exactly-once guarantee. The core problem is that the database write is not part of the atomic commit managed by Kafka's Transaction Coordinator.

    Production-Ready Solution: The Transactional Outbox Pattern

    The Outbox Pattern decouples the stream processing logic from the external system interaction, leveraging Kafka's own transactional capabilities to ensure end-to-end consistency.

    The Pattern:

    • Instead of calling the external system directly, the Kafka Streams application produces a message representing the desired action (an "intent" or "event") to a dedicated Kafka topic, the "outbox topic".
  • This production to the outbox topic is part of the same transaction as the primary business logic.
    • A separate, independent process (a standalone consumer or a Kafka Connect Sink Connector) consumes from the outbox topic.
  • This sink consumer is responsible for performing the action against the external system. It must be designed to be idempotent itself, using unique IDs from the event messages to prevent duplicate writes.

    • Implementation:

    Let's modify our topology to implement this pattern.

    java
    import org.apache.kafka.streams.kstream.KStream;
// ... other imports

public class BalanceAggregatorWithOutbox {

    public static final String RAW_TRANSACTIONS_TOPIC = "raw-transactions";
    public static final String AGGREGATED_BALANCES_TOPIC = "aggregated-balances";
    public static final String ALERT_OUTBOX_TOPIC = "alert-outbox"; // Our new outbox topic
    public static final String BALANCE_STORE_NAME = "balance-store";

    // ... main method with props setup remains the same ...

    public static Topology createTopology() {
        StreamsBuilder builder = new StreamsBuilder();

        KStream<String, Double> transactions = builder.stream(RAW_TRANSACTIONS_TOPIC);

        KTable<String, Double> balances = transactions
            .groupByKey()
            .aggregate(
                () -> 0.0,
                (userId, transactionAmount, currentBalance) -> currentBalance + transactionAmount,
                Materialized.<String, Double, KeyValueStore<Bytes, byte[]>>as(BALANCE_STORE_NAME)
                    .withKeySerde(Serdes.String())
                    .withValueSerde(Serdes.Double())
            );

        KStream<String, Double> balanceStream = balances.toStream();

        // Send all balance updates to the primary topic
        balanceStream.to(AGGREGATED_BALANCES_TOPIC, Produced.with(Serdes.String(), Serdes.Double()));

        // The Outbox Logic
        balanceStream
            .filter((userId, newBalance) -> newBalance > 10000.0)
            // We could transform this into a more structured Alert object
            // For simplicity, we just forward the balance as a String message
            .mapValues(balance -> "High balance detected: " + balance)
            .to(ALERT_OUTBOX_TOPIC, Produced.with(Serdes.String(), Serdes.String()));

        return builder.build();
    }
}

    Now, the production of messages to AGGREGATED_BALANCES_TOPIC and ALERT_OUTBOX_TOPIC are part of the same atomic transaction. The flow is now:

    • Transaction begins.
  • raw-transactions message is consumed.
    • State store is updated.
  • Message is produced to aggregated-balances.
  • If balance > 10k, a message is produced to alert-outbox.
    • Consumer offset is staged for commit.
    • Transaction is committed.

    If a crash happens anywhere before step 7, the entire operation is rolled back. The alert-outbox topic will never contain a message for a transaction that didn't fully complete. We have successfully extended the transactional boundary.

    The Idempotent Sink:

    The final piece is the consumer of the alert-outbox topic. Let's assume we're using a JDBC Sink Connector. The key is to ensure the database write is idempotent.

    * Strategy 1: Natural Keys: If the alert itself has a natural primary key (e.g., (userId, transactionId)), you can use an INSERT ... ON CONFLICT DO NOTHING (in PostgreSQL) or MERGE statement.

    * Strategy 2: Dedicated ID: Include a unique ID (e.g., a UUID generated in the Kafka Streams app) in the outbox message. The sink consumer can then use this ID to de-duplicate writes.

    Example JdbcSinkConnector configuration snippet:

    json
    {
  "name": "alert-jdbc-sink",
  "config": {
    "connector.class": "io.confluent.connect.jdbc.JdbcSinkConnector",
    "topics": "alert-outbox",
    "connection.url": "jdbc:postgresql://localhost:5432/alerts_db",
    "table.name.format": "alerts",
    "pk.mode": "record_key", // Assuming the Kafka message key is the unique ID
    "insert.mode": "upsert",
    // ... other configs
  }
}

    This completes the end-to-end exactly-once pattern, safely isolating external side effects.

    Advanced Topic: Zombie Fencing and Transaction Timeouts

    Understanding how Kafka Streams handles failures is critical for production stability.

    Zombie Fencing

    In a distributed system, when an instance of your application becomes unresponsive (e.g., due to a long GC pause), the consumer group coordinator will assume it's dead and trigger a rebalance. A new instance will take over its assigned tasks (topic-partitions). However, the original instance might not be dead; it could wake up and resume processing, unaware that its tasks have been reassigned. This is a "zombie instance."

    If this zombie attempts to write to Kafka, it could produce data based on stale state, corrupting your output topics. This is a catastrophic failure for an EOS system.

    How exactly_once_v2 Solves This:

    exactly_once_v2 implements a robust fencing mechanism using the producer's transactional.id and an internal "epoch".

  • Each producer instance associated with a transactional.id is assigned an epoch number by the Transaction Coordinator.
  • When a rebalance occurs and a new instance initializes a producer with the same transactional.id, the coordinator increments the epoch for that ID.
  • The coordinator then fences off the old producer by rejecting any transactional requests from a producer with a stale (lower) epoch number. It will respond with a ProducerFencedException.
    • When the zombie instance attempts to commit its transaction, the broker rejects it. The Kafka Streams client catches this fatal exception and shuts down the zombie instance, preventing any data corruption.

    This fencing is a cornerstone of the reliability of EOS in Kafka Streams and happens automatically when exactly_once_v2 is enabled.

    Transaction Timeouts and Performance

    EOS is not free. It introduces latency and can impact throughput due to the coordination overhead.

    * transaction.timeout.ms: This producer configuration dictates how long the Transaction Coordinator will wait for a transaction to complete before proactively aborting it. It's a safeguard against hung applications. Crucially, this must be larger than max.poll.interval.ms + commit.interval.ms to avoid premature timeouts.

    * commit.interval.ms: This Kafka Streams setting controls how often to commit the current transaction. A higher value means more records are processed in a single transaction, improving throughput by reducing transactional overhead per message. However, it also increases end-to-end latency, as messages are not visible downstream until the transaction commits.

    Performance Tuning:

    * Benchmark: Always measure the performance impact of enabling EOS in your environment. Expect a latency increase of 10-30% as a starting point, depending on the workload.

    * Batching: Increase commit.interval.ms to a reasonable value (e.g., 1000ms) to group more operations into a single transaction. This is the most effective way to improve throughput.

    * Producer Batching: Tune linger.ms and batch.size for the internal transactional producer to optimize writes within the transaction.

    Conclusion

    Exactly-Once Semantics in Kafka Streams, via processing.guarantee=exactly_once_v2, is a powerful and robust mechanism for building mission-critical applications. However, treating it as a magic black box is a recipe for production failures. True reliability comes from understanding its constituent parts: the idempotence of the producer, the atomic nature of transactions, and the seamless orchestration provided by the Streams DSL.

    For senior engineers, the key takeaways are:

  • EOS is a Kafka-internal guarantee. Its promises end at the broker boundary. To interact with external systems, you must extend the transactional guarantee yourself.
  • The Transactional Outbox pattern is the gold standard for handling external side effects. It leverages Kafka's atomicity to ensure intents are written durably before being acted upon by an idempotent sink.
  • Failure handling is paramount. Mechanisms like zombie fencing are automatically handled but understanding them helps in debugging and building confidence in the system's resilience.
  • Performance is a trade-off. EOS introduces overhead. Tuning commit intervals and batching parameters is essential to strike the right balance between latency, throughput, and correctness for your specific use case.

    • Found this article helpful?

    Share it with others who might benefit from it.

    More Articles