III · 02 · Design Decisions & Their Alternatives

Source: Apache Kafka 4.4.0-SNAPSHOT (git 04bfe7d, 2026-06-15), KRaft mode. Architectural analysis grounded in the source-verified Part I and cited comparative sources.

Every system you admire is a frozen argument. Behind each of Kafka's headline behaviours, consumers that poll, a leader that serves every read, a partition count you can never lower, a broker that trusts the OS page cache with your data, sits a fork in the design space where the authors chose one road and rejected several others that real systems took instead. This chapter walks eight of those forks and, for each, does three things: states the alternative roads honestly (Dynamo-style sloppy quorums, Raft majorities, LSM trees, multi-writer logs, push delivery, broker-tracked acknowledgement, managed memory), names the axes of the tradeoff, and tells you when each road is the right one. The single most instructive decision is not any one of them but the deliberate split: Kafka runs ISR replication for the data partitions and a Raft majority quorum for the metadata log, two different consistency protocols in one product, each matched to a different workload. Understand why that split is correct and you have learned the most transferable lesson Kafka has to teach. Throughout, we mark which side of each tradeoff is inherent (a structural consequence you cannot configure away) versus tunable (a dial or a feature shifts it), because conflating those two is the most common way architects misjudge a log.

How to read a design decision

A design decision is not "feature X is good." It is "for the forces we expected, road A dominates roads B and C, and here is the price we knowingly pay." To keep the analysis honest, every section below is structured around the same four questions. Hold them in mind as you read.

Decision 1, Pull consumers vs push delivery

The fork. When committed data is available, who initiates its movement to the consumer? Kafka chose pull: the consumer issues Fetch requests on its own clock, and the broker never pushes records it was not asked for. There is, in fact, only one read path in the whole system, followers replicating and consumers draining walk the identical ReplicaManager.fetchMessages machinery, distinguished only by a replica-id field (I · 09 Fetch Path). KRaft's metadata replication is pull too: the class header is blunt that "replication is driven by replica fetching" (I · 10 KRaft Consensus). The rejected road is push, the model RabbitMQ and most classic message brokers take: the broker decides when a message leaves and shoves it down an established channel.

The axes. Pull trades per-message latency at low load against consumer-controlled flow, batching, and replay. Push wins the first; pull wins the rest, decisively.

Pull buys four properties that are awkward-to-impossible under push:

• Backpressure is free and correct. A slow consumer simply fetches less often; the broker never builds an unbounded per-consumer send buffer or has to decide whether to drop or block. Under push, "the consumer can't keep up" is the broker's emergency; under pull it is a non-event, the data just waits in the log it was already sitting in.
• Replay and time-travel. Because the consumer names the offset, "start again from yesterday" is the same operation as "read the next batch." A push broker that already handed you a message and forgot it cannot replay. This is the mechanism under event sourcing, Kappa reprocessing, and adding a brand-new consumer to a year-old topic (III · 01 When to Use the Log).
• Batching is consumer-optimal. The fetch carries fetch.min.bytes/fetch.max.wait.ms; the consumer decides how much to amortise per round-trip. New Relic cut whole-cluster broker CPU 15% by raising fetch.min.bytes on low-throughput topics, a single client-side change, impossible to express if the broker set the cadence (empirical).
• Fan-out is decoupled from the broker's work. Ten groups reading one partition are ten independent cursors over one log; the broker keeps no "delivered to group 7" state, so adding a reader costs it almost nothing (Decision 4 covers why).

The price, and whether it is inherent. A pull consumer with nothing to read must either return empty or wait, which adds latency at the tail of an idle stream. Kafka mitigates this with long-poll: fetch.max.wait.ms parks the request in purgatory and the broker completes it the instant data crosses the high watermark (I · 09), so an idle consumer does not busy-spin, and a record that arrives is served immediately, not on the next poll tick. That mitigation is real but does not fully erase the gap: at very low message rates a push broker can still deliver a single message in fewer microseconds because it never waited to be asked. This residual is inherent to pull. The empirical record confirms it: Kafka's per-message latency exceeds a push broker's at low load, a deliberate throughput-over-latency choice; RabbitMQ measures ~1 ms at low load but degrades past ~30 MB/s, while Kafka holds p99 ~5 ms up into the hundreds of MB/s (Confluent OMB, empirical, directional, vendor benchmark).

Decision 2, Leader-based ISR replication vs leaderless / quorum

This is the heart of the chapter, and the decision that most distinguishes Kafka from the Dynamo lineage and from textbook Raft. It has three parts: the ISR mechanism itself, the alternatives it beat for data, and, the crucial twist, the fact that Kafka also runs a Raft majority quorum for metadata, on purpose, in the same cluster.

What ISR actually is

The fork. How do you keep N copies of a partition consistent under failure? Kafka chose leader-based ISR replication: one leader per partition serves all reads and writes, followers pull from it, and the leader tracks an in-sync replica set, the followers currently caught up. A write with acks=all is committed only when every member of the ISR has it; the high watermark (the committed, consumer-visible boundary) is the minimum log-end offset over the ISR, and it refuses to advance while the ISR is below min.insync.replicas (I · 08 Replication). The ISR is not the leader's private opinion, in KRaft it is controller-authoritative: the leader proposes membership changes via the AlterPartition RPC and the controller commits them to the metadata log, so leadership and membership have a single linearizable history (I · 08, KIP-497).

The genius of ISR is that it makes the durability/latency tradeoff into a tunable dial with a clear arithmetic, rather than a fixed protocol property. With RF=3 and min.insync.replicas=2, every acknowledged write sits on at least 2 independent brokers at ack time, so you tolerate f=1 failures with f+1=2 required copies and RF=3 for headroom, and you can move that dial per topic (II · 06 Durability). Contrast this with a majority quorum, where the failure tolerance is fixed by the protocol at ⌊N/2⌋.

ISR vs majority quorum, the key difference. A majority quorum commits when the median replica acks; it is structurally robust to one slow node in a 3-node group because that node is simply not in the majority. ISR instead waits for everyone currently in-sync, but it actively manages who that is: a follower that falls behind replica.lag.time.max.ms is ejected, so it stops holding the high watermark back (I · 08). The two converge on the same goal (don't let one laggard stall commit) by opposite means: quorum ignores the slow node by counting; ISR evicts it by membership. The ISR approach has a subtle edge for the data plane: it lets you set min.insync.replicas to a value independent of RF, so a 5-replica topic can require only 2 in-sync (cheaper, faster) or all 5 (paranoid), where a Raft group of 5 is permanently locked to 3. That decoupling of durability floor from replica count is the dial that makes ISR right for data.

ISR vs Dynamo sloppy quorum, the key difference. Dynamo (and Cassandra, Riak) accept writes to any W replicas and read from any R, with W+R>N guaranteeing read/write overlap but not a total order, concurrent writes to the same key produce siblings that the application or read-repair must reconcile (vector clocks, last-write-wins). That is a brilliant fit for an always-available key-value store where the data model tolerates eventual convergence. It is the wrong model for a log, whose entire value proposition is a single, total, immutable order of records (III · 00). A log with siblings is not a log. ISR's single-leader-per-partition gives you that total order for free; the price (single writer, covered in Decision 7) is one Kafka happily pays because ordering is the product.

The deliberate split: ISR for data, Raft for metadata

Here is the lesson. Kafka does not use ISR for everything. The cluster's metadata, every topic, partition, leader, ISR, ACL, config, broker registration, lives in a single log, __cluster_metadata-0, replicated by a Raft majority quorum across a small set of controllers (I · 10 KRaft Consensus, I · 11 KRaft Controller). The same company, the same codebase, two different consistency protocols, chosen because the two workloads have opposite shapes.

Why is a majority quorum right for metadata when ISR is right for data? Three reasons, each the inverse of the data-plane argument:

• There is exactly one metadata log, so the per-write vote round is affordable. The thing that makes a voting round too expensive for data, you'd pay it millions of times across millions of partitions, simply does not apply to a single, low-write-rate metadata log. You pay the round once per metadata change, rarely.
• Metadata consistency is not a dial, it must always be maximal. A tunable durability floor is exactly wrong here. If two controllers could both believe they are active (split-brain), they would issue conflicting leadership decisions and corrupt the cluster. Raft's majority rule structurally forbids two leaders in the same epoch: a candidate needs a majority to win, and two disjoint majorities cannot exist (I · 10). The metadata plane wants the strongest guarantee unconditionally, which is precisely what a majority quorum provides and what a tunable ISR floor would undermine.
• Metadata must self-manage its own leadership with fast failover, without depending on the thing it bootstraps. The pre-KRaft design delegated this to ZooKeeper, an external majority-quorum system, which is the historical proof that metadata wants a quorum. KRaft (KIP-500) folds that quorum into Kafka so there is no second system to operate, and adds hot-standby controllers so failover does not require reloading all state (empirical: ZooKeeper-era controller failover was O(partitions) and could take minutes at extreme scale; KRaft targets near-instant). A self-managing Raft quorum is the right shape for the one component that everything else depends on.

Decision 3, Partition as the unit of parallelism + ordering

The fork. How do you shard a topic so it scales horizontally and preserves order where order matters? Kafka chose the partition: a topic is a fixed set of independent logs; a record's partition is normally murmur2(key) % numPartitions (I · 16 Producer Client); each partition is totally ordered, has a single leader, and is the unit of both parallelism (one consumer per partition per group) and ordering (per-key order holds because a key always lands in the same partition). The rejected roads are consistent hashing (Dynamo/Cassandra: keys on a ring, virtual nodes, automatic rebalancing) and range sharding (HBase/Bigtable: contiguous key ranges that split as they grow).

Why hash-mod-N is right for a log. The partition's job is to be the ordering unit, and ordering wants a stable, cheap, deterministic mapping from key to log. hash % N is exactly that: any producer, with no shared state, computes the same partition for a key, so per-key order is preserved without coordination. The simplicity compounds, a partition is a self-contained append-only log, which is why "log appends occur without coordination between shards" and "throughput scales linearly" with partition count (Kreps, empirical). Consistent hashing and range sharding both buy smooth resharding at the cost of ordering and simplicity: a consistent-hash ring has no notion of a total order across the keys it scatters, and a range that splits hands you two ranges whose interleaving is no longer the original order. For a key-value store that is the correct trade; for a log it surrenders the product.

Decision 4, Consumer-tracked offsets vs broker-tracked acknowledgement

The fork. Who remembers how far each consumer has read? Kafka chose consumer-tracked offsets, the "dumb broker, smart client" philosophy. The broker does not track per-message delivery or per-consumer acknowledgement at all. A consumer reads from an offset and periodically commits its position; that commit is just another record, written to the __consumer_offsets topic. The rejected road is broker-tracked acknowledgement, the classic message-broker model (RabbitMQ, JMS, SQS): the broker holds per-message state, marks each message delivered/acked/redelivered, and removes it once consumed.

Why dumb-broker is right for a log. Pushing read-position state to clients is what makes the broker's two best properties cheap: fan-out and replay. Because the broker stores one log and no per-consumer delivery state, ten groups reading a partition cost the broker one log and ten integers (their committed offsets), not ten copies or ten delivery tables. And because nothing is consumed-and-deleted, any consumer can rewind. The literal implementation is the punchline: the group coordinator has no separate database, its durable state is the __consumer_offsets log, every commit is a record, and failover is "replay the partition" (I · 13 Group Coordination). Offset tracking is itself an application of the log pattern. Broker-tracked acknowledgement buys the opposite set of properties, selective ack, per-message TTL/priority, content routing, at the cost of per-message broker state that does not fan out and cannot replay. For request/queue workloads that is the right trade (and it is exactly where RabbitMQ wins; empirical); for a replayable fan-out log it is the wrong one.

Decision 5, Page cache + zero-copy vs managed memory / direct IO

The fork. Who manages the memory that buffers your data between disk and network? Kafka chose to rely on the OS page cache and the sendfile zero-copy path: the broker keeps a tiny JVM heap and lets the kernel cache log data; a consumer fetch of cached data is served by FileChannel.transferTo straight from page cache to socket, never copying through user space or the JVM heap (I · 03 Storage Log Engine, I · 09). The rejected road is managed memory + direct IO: own your cache in application space, use O_DIRECT to bypass the kernel cache, and control exactly what is resident, the model Redpanda takes with a C++ thread-per-core, DMA-based runtime (empirical).

Why mechanical sympathy is right for a log. A log's access pattern is the kindest case for the page cache: writes are sequential appends and the dominant read is the tail, the records just written, which are exactly the pages the kernel still has hot. So the page cache, with zero tuning, gives you near-RAM read throughput for the common case and a free zero-copy path to the socket, while letting Kafka keep a tiny heap and almost no caching code. This is "mechanical sympathy": align with what the hardware and OS already do well instead of fighting them. The empirical record is decisive against the headline claim that owning memory wins: on identical hardware Kafka often matched or beat Redpanda, ~1900 vs 1400 MB/s at NVMe saturation, and Redpanda's tail latency degraded under sustained load and TLS while Kafka's held or improved (Jack Vanlightly, empirical; vendor "10×/3×" claims used a crippled Kafka, forced per-batch fsync, Java 11, and "do not generalize"). The lesson is not "page cache always wins"; it is that delegating to a battle-tested kernel path is a strong default, and beating it requires more than a benchmark.

Decision 6, Append-only segments vs LSM-tree / B-tree

The fork. What on-disk structure backs a partition? Kafka chose append-only segments: a partition is an ordered set of immutable segment files, each a .log plus sparse memory-mapped indexes (.index, .timeindex); a write is a sequential append to the active segment, a read-by-offset is a binary search of a sparse index then a sequential scan, and old data is reclaimed by dropping whole segments (I · 03, I · 04 Storage Management). The rejected roads are the two great mutable-store structures: the B-tree (in-place updates, the workhorse of relational databases) and the LSM-tree (buffered writes + background compaction, the workhorse of RocksDB/Cassandra/modern KV stores).

Why append-only is right for a log. The log's data model is immutable, totally-ordered records read by position, it does not have updates or random key lookups to support, so the machinery that B-trees and LSM-trees exist to provide is pure cost here. By renouncing mutation, Kafka gets the cheapest possible write (a sequential append, write-amplification ~1×) and the cheapest possible reclamation (unlink a file). Crucially, "accumulating more stored data doesn't make it slower" (Kreps, empirical), there is no tree to rebalance, no compaction debt that grows with dataset size, because the structure is a flat append. An LSM-tree pays continuous compaction to keep key-sorted order; a B-tree pays random IO to keep in-place updates; both are buying capabilities (read-by-key, update) that a log deliberately does not offer.

Decision 7, Single-writer (leader) per partition vs multi-writer

The fork. Can more than one node accept writes to the same partition at once? Kafka chose single-writer: exactly one leader per partition accepts every append, assigns the monotonic offset, and serves every read; followers only replicate (I · 08). The rejected road is multi-writer, multiple nodes accepting writes to the same logical shard concurrently, as in multi-leader/active-active databases or leaderless KV stores, which requires conflict resolution (last-write-wins, CRDTs, vector clocks) or a consensus round on every write to agree an order.

Why single-writer is right for a log. A log is a total order, and the cheapest way to produce a total order is to have one writer assign positions. With a single leader, the offset is just a counter; there is never a conflict to resolve because there is never a second opinion about what comes next. Multi-writer would hand you exactly the problem ISR-vs-Dynamo already settled (Decision 2): concurrent writers produce an order that must be reconciled, and a reconciled "order" is not the immutable, total order a log promises. Single-writer also makes the acks=all durability story clean, there is one leader whose log is authoritative, so "committed" has a single, unambiguous meaning (the high watermark on that leader), and a returning ex-leader simply truncates to the new leader's epoch boundary rather than negotiating a merge (I · 08, leader epochs / KIP-101).

Decision 8, Coordinators as replicated logs

The fork. Where does a stateful broker subsystem, group membership, committed offsets, transaction state, keep its durable state? Kafka chose, repeatedly and on purpose, to make these subsystems replicated state machines over an internal log rather than to give them a bespoke datastore. The group coordinator's state is the __consumer_offsets log: every join, every offset commit, every assignment is a record; in-memory state is a deterministic replay of those records; and failover is "the new coordinator loads the partition and replays it" (I · 13). The transaction coordinator does the same over __transaction_state (I · 14). The rejected road is the obvious one most systems take: give each subsystem its own store (an embedded database, a ZooKeeper subtree, a custom on-disk format) with its own replication, durability, and failover code.

Why coordinators-as-logs is right. Kafka already had to build a correct, durable, fast, replicated log, that is the product. Making every stateful subsystem ride that same machinery is massive code reuse of the hardest part of the system. The coordinator does not implement durability (the partition's ISR replication does), does not implement failover (loading-and-replaying a partition does), and does not implement the consistency boundary (the high watermark is exactly the trigger that releases a response once its record is committed; I · 13). Three guarantees the subsystem would otherwise have had to re-derive, durability, failover, read-your-committed-write, fall out for free because the state is a log. This is dogfooding as architecture: the abstraction is good enough that the system builds itself on it.

The decisions as one coherent system

Read individually, the eight forks look like independent engineering calls. Read together, they are one bet repeated: optimise relentlessly for a durable, totally-ordered, replayable, high-throughput fan-out log, and pay wherever that abstraction does not value the currency. Each decision reinforces the others, pull consumers and consumer-tracked offsets together make fan-out and replay cheap; single-writer and hash-partitioning together make per-key total order cheap; append-only storage and page-cache reliance together make sequential throughput cheap; ISR-for-data and Raft-for-metadata together make the whole thing both scalable and self-consistent.