KAFKA-20462: Preserve original source-record headers in ErrorHandlerContext

A user-supplied Deserializer is allowed to mutate the live Headers
reference (e.g. a LargeMessageDeserializer that strips serde-internal
headers so they don't leak downstream). The same Headers reference
flows into ErrorHandlerContext used by both the
DeserializationExceptionHandler and the ProcessingExceptionHandler,
so when these handlers read context.headers() -- and when
ExceptionHandlerUtils#buildDeadLetterQueueRecord copies those headers
into a DLQ record -- they observe the post-mutation state, even
though the javadoc on ErrorHandlerContext#headers() promises "the
headers of the current source record".

Snapshot rawRecord.headers() in RecordQueue#updateHead before
invoking RecordDeserializer#deserialize, and propagate the snapshot
through two paths:

  - As an explicit parameter to RecordDeserializer#deserialize so the
    DeserializationExceptionHandler error path uses the original
    source headers when the Deserializer threw.
  - On a new transient sourceRawHeaders field on StampedRecord and
    ProcessorRecordContext (mirroring the existing
    sourceRawKey/sourceRawValue lifecycle: not serialized, cleared
    by freeRawRecord), so that ProcessorNode -- when invoking the
    ProcessingExceptionHandler after a downstream processor failed
    on a successfully-deserialized record -- builds the
    DefaultErrorHandlerContext from the snapshot rather than the
    live (possibly mutated) Headers reference.

GlobalStateUpdateTask and GlobalStateManagerImpl get the same
treatment for the global-state restore path (deserialization-failure
and processing-failure respectively).

The downstream Record passed to processors still carries the live
(possibly mutated) Headers reference, so processors that legitimately
rely on a Deserializer mutating headers (the LargeMessageDeserializer
pattern) continue to see the mutated view -- only the error-handler
context is changed to honor its documented contract.

Two regression tests:

  - RecordDeserializerTest covers the
    DeserializationExceptionHandler path: a Deserializer that mutates
    headers then throws.
  - ProcessorNodeTest covers the ProcessingExceptionHandler path: a
    ProcessorRecordContext where the live headers have already been
    mutated but sourceRawHeaders preserves the originals, and a
    processor throws.

Author: 1fanwang

streams/src/main/java/org/apache/kafka/streams/processor/internals/GlobalStateManagerImpl.java

@@ -23,6 +23,8 @@
 import org.apache.kafka.common.PartitionInfo;
 import org.apache.kafka.common.TopicPartition;
 import org.apache.kafka.common.errors.TimeoutException;
+import org.apache.kafka.common.header.Headers;
+import org.apache.kafka.common.header.internals.RecordHeaders;
 import org.apache.kafka.common.metrics.Sensor;
 import org.apache.kafka.common.serialization.ByteArrayDeserializer;
 import org.apache.kafka.common.utils.LogContext;
@@ -369,6 +371,12 @@ private void reprocessState(final StateStoreMetadata storeMetadata) {
                     if (record.key() != null) {
                         // Deserialization phase
                         final Record<?, ?> deserializedRecord;
+                        // Snapshot headers before invoking the user-supplied
+                        // Deserializers so the ErrorHandlerContext seen by the
+                        // DeserializationExceptionHandler reflects the original
+                        // source-record headers, even if a Deserializer mutates
+                        // the live Headers reference.
+                        final Headers sourceRecordHeaders = new RecordHeaders(record.headers());
                         try {
                             deserializedRecord = new Record<>(
                                 reprocessFactory.keyDeserializer().deserialize(record.topic(), record.headers(), record.key()),
@@ -384,6 +392,7 @@ private void reprocessState(final StateStoreMetadata storeMetadata) {
                                 globalProcessorContext,
                                 deserializationException,
                                 record,
+                                sourceRecordHeaders,
                                 log,
                                 droppedRecordsSensor,
                                 null
@@ -406,7 +415,7 @@ private void reprocessState(final StateStoreMetadata storeMetadata) {
                                     record.topic(),
                                     record.partition(),
                                     record.offset(),
-                                    record.headers(),
+                                    sourceRecordHeaders,
                                     reprocessFactory.processorName(),
                                     globalProcessorContext.taskId(),
                                     record.timestamp(),

streams/src/main/java/org/apache/kafka/streams/processor/internals/GlobalStateUpdateTask.java

@@ -18,6 +18,8 @@
 
 import org.apache.kafka.clients.consumer.ConsumerRecord;
 import org.apache.kafka.common.TopicPartition;
+import org.apache.kafka.common.header.Headers;
+import org.apache.kafka.common.header.internals.RecordHeaders;
 import org.apache.kafka.common.utils.LogContext;
 import org.apache.kafka.common.utils.Time;
 import org.apache.kafka.common.utils.Utils;
@@ -109,7 +111,13 @@ public Map<TopicPartition, Long> initialize() {
     @Override
     public void update(final ConsumerRecord<byte[], byte[]> record) {
         final RecordDeserializer sourceNodeAndDeserializer = deserializers.get(record.topic());
-        final ConsumerRecord<Object, Object> deserialized = sourceNodeAndDeserializer.deserialize(processorContext, record);
+        // Snapshot headers before invoking the user-supplied Deserializer so
+        // ErrorHandlerContext#headers() observed by the
+        // DeserializationExceptionHandler / ProcessingExceptionHandler exposes
+        // the original source-record headers, even if a Deserializer mutates
+        // the live Headers reference.
+        final Headers sourceRawHeaders = new RecordHeaders(record.headers());
+        final ConsumerRecord<Object, Object> deserialized = sourceNodeAndDeserializer.deserialize(processorContext, record, sourceRawHeaders);
 
         if (deserialized != null) {
             final ProcessorRecordContext recordContext =
@@ -118,7 +126,10 @@ public void update(final ConsumerRecord<byte[], byte[]> record) {
                     deserialized.offset(),
                     deserialized.partition(),
                     deserialized.topic(),
-                    deserialized.headers());
+                    deserialized.headers(),
+                    null,
+                    null,
+                    sourceRawHeaders);
             processorContext.setRecordContext(recordContext);
             processorContext.setCurrentNode(sourceNodeAndDeserializer.sourceNode());
             final Record<Object, Object> toProcess = new Record<>(

streams/src/main/java/org/apache/kafka/streams/processor/internals/ProcessorNode.java

@@ -17,7 +17,9 @@
 package org.apache.kafka.streams.processor.internals;
 
 import org.apache.kafka.clients.producer.ProducerRecord;
+import org.apache.kafka.common.header.Headers;
 import org.apache.kafka.common.metrics.Sensor;
+import org.apache.kafka.streams.processor.RecordContext;
 import org.apache.kafka.streams.errors.ErrorHandlerContext;
 import org.apache.kafka.streams.errors.ProcessingExceptionHandler;
 import org.apache.kafka.streams.errors.StreamsException;
@@ -215,12 +217,21 @@ public void process(final Record<KIn, VIn> record) {
                 throw processingException;
             }
 
+            // ErrorHandlerContext#headers() is documented to expose the source
+            // record's headers. When the live recordContext is a
+            // ProcessorRecordContext that captured a sourceRawHeaders snapshot
+            // (i.e. the record came from a deserialized ConsumerRecord), use
+            // that snapshot so the handler -- and any DLQ record built from it
+            // -- sees the original headers even if a Deserializer mutated the
+            // live Headers reference. Fall back to the live headers when no
+            // snapshot is available (e.g. internal/synthetic record contexts).
+            final Headers sourceRecordHeaders = sourceRawHeadersOrLive(internalProcessorContext.recordContext());
             final ErrorHandlerContext errorHandlerContext = new DefaultErrorHandlerContext(
                 null, // only required to pass for DeserializationExceptionHandler
                 internalProcessorContext.recordContext().topic(),
                 internalProcessorContext.recordContext().partition(),
                 internalProcessorContext.recordContext().offset(),
-                internalProcessorContext.recordContext().headers(),
+                sourceRecordHeaders,
                 internalProcessorContext.currentNode().name(),
                 internalProcessorContext.taskId(),
                 internalProcessorContext.recordContext().timestamp(),
@@ -310,4 +321,14 @@ public String toString(final String indent) {
         }
         return sb.toString();
     }
+
+    private static Headers sourceRawHeadersOrLive(final RecordContext recordContext) {
+        if (recordContext instanceof ProcessorRecordContext) {
+            final Headers snapshot = ((ProcessorRecordContext) recordContext).sourceRawHeaders();
+            if (snapshot != null) {
+                return snapshot;
+            }
+        }
+        return recordContext.headers();
+    }
 }

streams/src/main/java/org/apache/kafka/streams/processor/internals/ProcessorRecordContext.java

@@ -40,19 +40,21 @@ public class ProcessorRecordContext implements RecordContext, RecordMetadata {
     private final Headers headers;
     private byte[] sourceRawKey;
     private byte[] sourceRawValue;
+    // Snapshot of the source record's headers taken before any user-supplied
+    // Deserializer ran. Like {@link #sourceRawKey}/{@link #sourceRawValue},
+    // this is transient (not serialized) and is cleared by
+    // {@link #freeRawRecord()}. Used by the error-handler construction sites
+    // in StreamTask and ProcessorNode so that ErrorHandlerContext#headers()
+    // can return the original source-record headers even when a Deserializer
+    // mutated the live Headers instance.
+    private Headers sourceRawHeaders;
 
     public ProcessorRecordContext(final long timestamp,
                                   final long offset,
                                   final int partition,
                                   final String topic,
                                   final Headers headers) {
-        this.timestamp = timestamp;
-        this.offset = offset;
-        this.topic = topic;
-        this.partition = partition;
-        this.headers = Objects.requireNonNull(headers);
-        this.sourceRawKey = null;
-        this.sourceRawValue = null;
+        this(timestamp, offset, partition, topic, headers, null, null, null);
     }
 
     public ProcessorRecordContext(final long timestamp,
@@ -62,13 +64,25 @@ public ProcessorRecordContext(final long timestamp,
                                   final Headers headers,
                                   final byte[] sourceRawKey,
                                   final byte[] sourceRawValue) {
+        this(timestamp, offset, partition, topic, headers, sourceRawKey, sourceRawValue, null);
+    }
+
+    public ProcessorRecordContext(final long timestamp,
+                                  final long offset,
+                                  final int partition,
+                                  final String topic,
+                                  final Headers headers,
+                                  final byte[] sourceRawKey,
+                                  final byte[] sourceRawValue,
+                                  final Headers sourceRawHeaders) {
         this.timestamp = timestamp;
         this.offset = offset;
         this.topic = topic;
         this.partition = partition;
         this.headers = Objects.requireNonNull(headers);
         this.sourceRawKey = sourceRawKey;
         this.sourceRawValue = sourceRawValue;
+        this.sourceRawHeaders = sourceRawHeaders;
     }
 
     @Override
@@ -106,6 +120,18 @@ public byte[] sourceRawValue() {
         return sourceRawValue;
     }
 
+    /**
+     * Returns the snapshot of the source record's headers taken before any
+     * user-supplied {@code Deserializer} ran, or {@code null} if no snapshot
+     * was captured (e.g., for {@code ProcessorRecordContext} instances that
+     * were not constructed from a live consumer record). This is consumed by
+     * Streams error-handler construction sites and is not part of the public
+     * {@link RecordContext} interface.
+     */
+    public Headers sourceRawHeaders() {
+        return sourceRawHeaders;
+    }
+
     public long residentMemorySizeEstimate() {
         long size = 0;
         size += Long.BYTES; // value.context.timestamp
@@ -210,6 +236,7 @@ public static ProcessorRecordContext deserialize(final ByteBuffer buffer) {
     public void freeRawRecord() {
         this.sourceRawKey = null;
         this.sourceRawValue = null;
+        this.sourceRawHeaders = null;
     }
 
     @Override
@@ -227,7 +254,8 @@ public boolean equals(final Object o) {
             Objects.equals(topic, that.topic) &&
             Objects.equals(headers, that.headers) &&
             Arrays.equals(sourceRawKey, that.sourceRawKey) &&
-            Arrays.equals(sourceRawValue, that.sourceRawValue);
+            Arrays.equals(sourceRawValue, that.sourceRawValue) &&
+            Objects.equals(sourceRawHeaders, that.sourceRawHeaders);
     }
 
     /**

streams/src/main/java/org/apache/kafka/streams/processor/internals/RecordDeserializer.java

@@ -18,6 +18,7 @@
 
 import org.apache.kafka.clients.consumer.ConsumerRecord;
 import org.apache.kafka.clients.producer.ProducerRecord;
+import org.apache.kafka.common.header.Headers;
 import org.apache.kafka.common.metrics.Sensor;
 import org.apache.kafka.common.record.TimestampType;
 import org.apache.kafka.common.utils.LogContext;
@@ -55,8 +56,16 @@ public class RecordDeserializer {
      *                          or throws an exception itself
      */
     ConsumerRecord<Object, Object> deserialize(final ProcessorContext<?, ?> processorContext,
-                                               final ConsumerRecord<byte[], byte[]> rawRecord) {
+                                               final ConsumerRecord<byte[], byte[]> rawRecord,
+                                               final Headers sourceRecordHeaders) {
 
+        // sourceRecordHeaders is a snapshot of rawRecord.headers() captured by
+        // the caller BEFORE this method runs, because user-supplied
+        // Deserializers are allowed to mutate the live Headers reference (e.g.
+        // a LargeMessageDeserializer that strips serde-internal headers) and
+        // we still need ErrorHandlerContext#headers() to expose the original
+        // source-record headers per its javadoc, so that DLQ records can be
+        // reconstructed faithfully.
         try {
             return new ConsumerRecord<>(
                 rawRecord.topic(),
@@ -75,7 +84,7 @@ ConsumerRecord<Object, Object> deserialize(final ProcessorContext<?, ?> processo
             // while Java distinguishes checked vs unchecked exceptions, other languages
             // like Scala or Kotlin do not, and thus we need to catch `Exception`
             // (instead of `RuntimeException`) to work well with those languages
-            handleDeserializationFailure(deserializationExceptionHandler, processorContext, deserializationException, rawRecord, log, droppedRecordsSensor, sourceNode().name());
+            handleDeserializationFailure(deserializationExceptionHandler, processorContext, deserializationException, rawRecord, sourceRecordHeaders, log, droppedRecordsSensor, sourceNode().name());
             return null; //  'handleDeserializationFailure' would either throw or swallow -- if we swallow we need to skip the record by returning 'null'
         }
     }
@@ -84,6 +93,7 @@ public static void handleDeserializationFailure(final DeserializationExceptionHa
                                                     final ProcessorContext<?, ?> processorContext,
                                                     final Exception deserializationException,
                                                     final ConsumerRecord<byte[], byte[]> rawRecord,
+                                                    final Headers sourceRecordHeaders,
                                                     final Logger log,
                                                     final Sensor droppedRecordsSensor,
                                                     final String sourceNodeName) {
@@ -93,7 +103,7 @@ public static void handleDeserializationFailure(final DeserializationExceptionHa
             rawRecord.topic(),
             rawRecord.partition(),
             rawRecord.offset(),
-            rawRecord.headers(),
+            sourceRecordHeaders,
             sourceNodeName,
             processorContext.taskId(),
             rawRecord.timestamp(),

streams/src/main/java/org/apache/kafka/streams/processor/internals/RecordQueue.java

@@ -18,6 +18,8 @@
 
 import org.apache.kafka.clients.consumer.ConsumerRecord;
 import org.apache.kafka.common.TopicPartition;
+import org.apache.kafka.common.header.Headers;
+import org.apache.kafka.common.header.internals.RecordHeaders;
 import org.apache.kafka.common.metrics.Sensor;
 import org.apache.kafka.common.utils.LogContext;
 import org.apache.kafka.streams.errors.DeserializationExceptionHandler;
@@ -212,8 +214,16 @@ private void updateHead() {
 
         while (headRecord == null && !fifoQueue.isEmpty()) {
             final ConsumerRecord<byte[], byte[]> raw = fifoQueue.pollFirst();
+            // Snapshot raw.headers() before invoking the user-supplied
+            // Deserializer in deserialize(...). The same snapshot is then
+            // attached to the StampedRecord so it can be carried through to
+            // the ProcessingExceptionHandler error path -- a Deserializer is
+            // free to mutate the live Headers reference, but
+            // ErrorHandlerContext#headers() must continue to expose the
+            // original source-record headers per its javadoc.
+            final Headers sourceRawHeaders = new RecordHeaders(raw.headers());
             final ConsumerRecord<Object, Object> deserialized =
-                recordDeserializer.deserialize(processorContext, raw);
+                recordDeserializer.deserialize(processorContext, raw, sourceRawHeaders);
 
             if (deserialized == null) {
                 // this only happens if the deserializer decides to skip. It has already logged the reason.
@@ -243,7 +253,7 @@ private void updateHead() {
                 lastCorruptedRecord = raw;
                 continue;
             }
-            headRecord = new StampedRecord(deserialized, timestamp, raw.key(), raw.value());
+            headRecord = new StampedRecord(deserialized, timestamp, raw.key(), raw.value(), sourceRawHeaders);
             headRecordSizeInBytes = consumerRecordSizeInBytes(raw);
         }
 

streams/src/main/java/org/apache/kafka/streams/processor/internals/StampedRecord.java

@@ -25,20 +25,32 @@ public class StampedRecord extends Stamped<ConsumerRecord<?, ?>> {
 
     private final byte[] rawKey;
     private final byte[] rawValue;
+    // Snapshot of the source record's headers taken before any Deserializer
+    // ran, propagated downstream so that ErrorHandlerContext#headers() can
+    // expose the original source-record headers even after a Deserializer
+    // mutated the live Headers instance.
+    private final Headers rawHeaders;
 
     public StampedRecord(final ConsumerRecord<?, ?> record, final long timestamp) {
-        super(record, timestamp);
-        this.rawKey = null;
-        this.rawValue = null;
+        this(record, timestamp, null, null, null);
     }
 
     public StampedRecord(final ConsumerRecord<?, ?> record,
                          final long timestamp,
                          final byte[] rawKey,
                          final byte[] rawValue) {
+        this(record, timestamp, rawKey, rawValue, null);
+    }
+
+    public StampedRecord(final ConsumerRecord<?, ?> record,
+                         final long timestamp,
+                         final byte[] rawKey,
+                         final byte[] rawValue,
+                         final Headers rawHeaders) {
         super(record, timestamp);
         this.rawKey = rawKey;
         this.rawValue = rawValue;
+        this.rawHeaders = rawHeaders;
     }
 
     public String topic() {
@@ -77,6 +89,10 @@ public byte[] rawValue() {
         return rawValue;
     }
 
+    public Headers rawHeaders() {
+        return rawHeaders;
+    }
+
     @Override
     public String toString() {
         return value.toString() + ", timestamp = " + timestamp;

streams/src/main/java/org/apache/kafka/streams/processor/internals/StreamTask.java

@@ -874,7 +874,8 @@ private void doProcess(final long wallClockTime) {
             record.topic(),
             record.headers(),
             record.rawKey(),
-            record.rawValue()
+            record.rawValue(),
+            record.rawHeaders()
         );
         updateProcessorContext(currNode, wallClockTime, recordContext);