KIP-841 — Fenced replicas should not be allowed to join the ISR in KRaft
Accepted Kafka 3.3 KRaftBroker
Enforces in KRaft mode that fenced or in-controlled-shutdown replicas cannot join the ISR (new INELIGIBLE_REPLICA error on AlterPartition) or be elected leader, and persists the controlled-shutdown state in the metadata log. Without this enforcement, a leader could add a fenced replica to the ISR via a stale AlterPartition, allowing a broker with missing data to serve as leader and cause data loss.
Protocol Impact
Details
| Author | David Jacot |
| Status | Accepted |
| Kafka Version | 3.3 |
| JIRA | KAFKA-13916 |
| Wiki | View on Apache Wiki |
| Created | 2022-05-17 |
| Last Modified | 2022-06-16 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.