需求分析
- 构建一个事件驱动的会员成长值与权益发放微服务集,服务包括:member-service、points-service、benefits-service、order-listener、notification-service。
- 事件通道:Kafka 主题 orders.paid、points.accrued、tier.changed、benefit.granted;所有出站事件通过 Outbox 模式确保数据库更新与事件发布一致。
- 数据模型:Member、PointLedger、Tier、Benefit、BenefitIssue,覆盖成长值账本、等级、权益库存与发放记录。
- 核心流程:
- 订单支付事件进入 order-listener,基于幂等键(order_id+member_id)防重,转换为成长值规则输入;
- points-service 计算成长值并写入账本,发布 points.accrued;
- member-service 订阅成长值事件评估等级(门槛、有效期、多维权重),升级则发布 tier.changed;
- benefits-service 订阅等级变化,按策略发放权益,写入 BenefitIssue 并发布 benefit.granted;
- notification-service 消费通知事件推送给用户。
- 跨服务一致性:Saga 编排,失败时通过补偿步骤撤销权益或回滚成长值。所有接口要求幂等。发放流程使用状态机驱动。
- 非功能:高可用(多副本)、可扩展(按 member_id 分区)、告警(滞留事件、补偿失败)、合规(审计日志、数据脱敏)、运维(定期对账、死信监控、灰度发布)、安全(服务间 mTLS,外部限流与签名)、测试(重复事件幂等、等级边界升级、库存耗尽补偿、跨区分片一致性)。
架构概述
- 服务与职责
- order-listener:订阅 orders.paid,校验幂等,转换为成长值规则输入,调用 points-service 接口。
- points-service:成长值规则引擎,账本写入与余额维护,Outbox 发布 points.accrued。
- member-service:订阅 points.accrued,评估等级(门槛、有效期、多维权重),更新 Member,发布 tier.changed。
- benefits-service:订阅 tier.changed,按策略发放权益,状态机与 Saga 编排,发布 benefit.granted。
- notification-service:订阅 benefit.granted(和可选 tier.changed),推送消息。
- 数据存储(每服务独立数据库)
- Member(id, mobile, tier, status, updated_at, audit_info)
- PointLedger(id, member_id, delta, source, idempotency_key, balance, created_at, status)
- Tier(id, name, threshold, valid_window, weight_model)
- Benefit(id, type, stock, valid_time, policy_id, status)
- BenefitIssue(id, member_id, benefit_id, status, saga_id, idempotency_key, created_at, updated_at)
- Outbox(id, event_type, aggregate_id, payload, event_id, created_at, sent_at, status, retry_count)
- IdempotencyStore(key, scope, status, result_ref, created_at, expires_at)
- AuditLog(actor, action, resource_id, resource_type, before, after, at, redacted_fields)
- 事件与分区
- Kafka 主题:orders.paid、points.accrued、tier.changed、benefit.granted、dead-letter。
- 分区键:member_id(确保单会员内事件顺序)。
- Outbox 模式
- 数据变更与 Outbox 记录在同一事务内提交;后台 OutboxRelayer 拉取并发布到 Kafka,成功后标记 sent。
- 发布语义:至少一次 + 事件幂等(event_id 去重)。
- Saga 编排
- 编排位置:由 benefits-service 内置 SagaManager 按策略驱动(不新增独立服务,符合服务清单)。
- Saga 实例:与“等级变更触发的权益发放”或“API主动发放”绑定,包含步骤与补偿。
- 补偿策略:失败时撤销权益(释放库存,标记失败/已补偿),可选回滚成长值(写反向账本)按策略开关。
- 状态机(核心对象)
- BenefitIssue 状态:PENDING -> RESERVED -> GRANTED -> NOTIFIED;失败路径:PENDING/RESERVED -> FAILED -> COMPENSATED。
- PointLedger 状态:POSTED,COMPENSATION_POSTED(负向冲正)。
- API(对外)
- POST /members
- GET /members/{id}
- POST /points/accrue {order_id, amount, idempotency_key}
- GET /tiers
- POST /benefits/grant {member_id, policy_id, idempotency_key}
- 安全与合规
- mTLS 服务间鉴权;外部接口 HMAC 签名 + 限流;审计日志与数据脱敏。
- 观测与运维
- 指标:Outbox 滞留、DLQ 消息计数、Saga 失败率、库存可用量、账本对账差值。
- 定期对账、死信队列消费与重放、灰度发布逐步扩容。
伪代码
- 通用组件:Idempotency 与 Outbox
FUNCTION EnsureIdempotency(scope, key):
existing = SELECT * FROM IdempotencyStore WHERE scope = scope AND key = key
IF existing EXISTS AND existing.status == "COMPLETED":
RETURN existing.result_ref
ELSE IF existing EXISTS AND existing.status == "IN_PROGRESS":
RAISE "RETRY_LATER"
ELSE:
INSERT INTO IdempotencyStore(scope, key, status="IN_PROGRESS", created_at=NOW)
RETURN null
FUNCTION CompleteIdempotency(scope, key, result_ref):
UPDATE IdempotencyStore SET status="COMPLETED", result_ref=result_ref WHERE scope=scope AND key=key
FUNCTION WriteOutbox(event_type, aggregate_id, payload):
event_id = GENERATE_UUID()
INSERT INTO Outbox(event_type, aggregate_id, payload, event_id, created_at=NOW, status="PENDING")
RETURN event_id
PROCESS OutboxRelayer:
LOOP:
rows = SELECT * FROM Outbox WHERE status="PENDING" ORDER BY created_at LIMIT N
FOR each row IN rows:
TRY:
PUBLISH_TO_KAFKA(topic=row.event_type, key=row.aggregate_id, message=payload_with_event_id(row))
UPDATE Outbox SET status="SENT", sent_at=NOW WHERE id=row.id
CATCH transient_error:
UPDATE Outbox SET retry_count = retry_count + 1 WHERE id=row.id
IF retry_count > MAX_RETRY:
MOVE_TO_DLQ(row)
SLEEP short_interval
- order-listener(消费 orders.paid 事件并调用 points-service)
CONSUMER OnOrdersPaid(event from orders.paid):
member_id = event.member_id
order_id = event.order_id
amount = event.amount
idempotency_key = CONCAT(order_id, ":", member_id)
IF IsDuplicateEvent(event.event_id):
ACK; RETURN
IF EnsureIdempotency(scope="ORDERS_PAID", key=idempotency_key) == "RETRY_LATER":
NACK; RETURN
points_input = TRANSFORM_TO_POINTS_INPUT(amount, event.category, event.timestamp)
TRY:
CALL points-service POST /points/accrue {order_id, amount=points_input.amount, idempotency_key}
CompleteIdempotency("ORDERS_PAID", idempotency_key, result_ref=order_id)
ACK
CATCH client_error (4xx):
// Business validation failed; finalize idempotency to avoid infinite retry
CompleteIdempotency("ORDERS_PAID", idempotency_key, result_ref="FAILED")
ACK
CATCH server_error (5xx or timeout):
// retry later
NACK
- points-service(成长值计算与账本写入,Outbox 发布 points.accrued)
API POST /points/accrue(request):
key = request.idempotency_key
IF EnsureIdempotency(scope="POINTS_ACCRUE", key=key) == "RETRY_LATER":
RETURN 409 Retry
BEGIN TRANSACTION
existing = SELECT * FROM PointLedger WHERE idempotency_key = key
IF existing EXISTS:
COMMIT
CompleteIdempotency("POINTS_ACCRUE", key, result_ref=existing.id)
RETURN 200 existing
delta = APPLY_POINTS_RULES(order_id=request.order_id, amount=request.amount, member_profile=LOAD_MEMBER(request.member_id))
current_balance = SELECT SUM(delta) FROM PointLedger WHERE member_id = request.member_id AND status IN ("POSTED", "COMPENSATION_POSTED")
new_balance = current_balance + delta
INSERT INTO PointLedger(id=NEW_ID, member_id=request.member_id, delta=delta, source="ORDER", idempotency_key=key, balance=new_balance, status="POSTED", created_at=NOW)
event_id = WriteOutbox(event_type="points.accrued",
aggregate_id=request.member_id,
payload = { ledger_id: NEW_ID, member_id: request.member_id, delta: delta, balance: new_balance, idempotency_key: key, source: "ORDER" })
COMMIT
CompleteIdempotency("POINTS_ACCRUE", key, result_ref=NEW_ID)
RETURN 200 { ledger_id: NEW_ID, balance: new_balance }
FUNCTION ReverseLedgerByKey(original_key, reason):
BEGIN TRANSACTION
orig = SELECT * FROM PointLedger WHERE idempotency_key = original_key AND status="POSTED"
IF NOT orig EXISTS:
COMMIT; RETURN "NOOP"
comp_key = CONCAT(original_key, ":COMP")
IF SELECT * FROM PointLedger WHERE idempotency_key = comp_key EXISTS:
COMMIT; RETURN "ALREADY_COMPENSATED"
current_balance = SELECT SUM(delta) FROM PointLedger WHERE member_id = orig.member_id AND status IN ("POSTED", "COMPENSATION_POSTED")
new_balance = current_balance - orig.delta
INSERT INTO PointLedger(id=NEW_ID, member_id=orig.member_id, delta=-orig.delta, source="COMPENSATION", idempotency_key=comp_key, balance=new_balance, status="COMPENSATION_POSTED", created_at=NOW)
event_id = WriteOutbox(event_type="points.accrued",
aggregate_id=orig.member_id,
payload = { ledger_id: NEW_ID, member_id: orig.member_id, delta: -orig.delta, balance: new_balance, idempotency_key: comp_key, source: "COMPENSATION", reason: reason })
COMMIT
- member-service(订阅 points.accrued,评估等级并发布 tier.changed)
CONSUMER OnPointsAccrued(event from points.accrued):
IF IsDuplicateEvent(event.event_id):
ACK; RETURN
member_id = event.member_id
// 加权积分:按有效期和权重模型计算
weighted_score = COMPUTE_WEIGHTED_SCORE(member_id, window=ACTIVE_TIER_WINDOW(), weight_model=LOAD_TIER_WEIGHT_MODEL())
// 基于门槛判断目标等级
current_tier = SELECT tier FROM Member WHERE id = member_id
target_tier = EVALUATE_TIER(weighted_score, thresholds=LOAD_TIERS())
IF target_tier > current_tier:
BEGIN TRANSACTION
UPDATE Member SET tier = target_tier, updated_at=NOW WHERE id = member_id
event_id = WriteOutbox(event_type="tier.changed",
aggregate_id=member_id,
payload = { member_id: member_id, from_tier: current_tier, to_tier: target_tier, reason: "POINTS_ACCUMULATED", effective_at: NOW })
COMMIT
ACK
FUNCTION COMPUTE_WEIGHTED_SCORE(member_id, window, weight_model):
points = SELECT delta, source, created_at FROM PointLedger WHERE member_id=member_id AND created_at IN window
score = 0
FOR p IN points:
w = weight_model[source] OR DEFAULT_WEIGHT
decay = TIME_DECAY(window, p.created_at)
score = score + p.delta * w * decay
RETURN score
FUNCTION EVALUATE_TIER(score, thresholds):
// thresholds: list of {tier_name, min_score}
RETURN MAX tier WHERE score >= min_score
- benefits-service(订阅 tier.changed,状态机与 Saga 编排)
CONSUMER OnTierChanged(event from tier.changed):
IF IsDuplicateEvent(event.event_id):
ACK; RETURN
member_id = event.member_id
from_tier = event.from_tier
to_tier = event.to_tier
policies = SELECT * FROM BenefitPolicy WHERE trigger_tier = to_tier AND status="ACTIVE"
FOR policy IN policies:
saga_id = GENERATE_UUID()
START_SAGA(saga_id, member_id, policy, change_event_id=event.event_id)
PROCESS START_SAGA(saga_id, member_id, policy, change_event_id):
// 幂等:一个 (member_id, policy_id, change_event_id) 只启动一次
IF EXISTS BenefitIssue WHERE member_id=member_id AND policy_id=policy.id AND idempotency_key=change_event_id:
RETURN
// Step 1: 预留库存
TRY:
BEGIN TRANSACTION
IF policy.type IN ("COUPON", "PACKAGE"):
stock = SELECT stock FROM Benefit WHERE id = policy.benefit_id FOR UPDATE
IF stock <= 0:
RAISE "OUT_OF_STOCK"
UPDATE Benefit SET stock = stock - 1 WHERE id = policy.benefit_id
INSERT INTO BenefitIssue(id=NEW_ID, member_id=member_id, benefit_id=policy.benefit_id, status="RESERVED",
saga_id=saga_id, idempotency_key=change_event_id, created_at=NOW)
COMMIT
CATCH "OUT_OF_STOCK":
HANDLE_COMPENSATION(saga_id, member_id, policy, reason="OUT_OF_STOCK")
RETURN
// Step 2: 发放/确认
TRY:
BEGIN TRANSACTION
UPDATE BenefitIssue SET status="GRANTED", updated_at=NOW WHERE id=NEW_ID
event_id = WriteOutbox(event_type="benefit.granted",
aggregate_id=member_id,
payload = { issue_id: NEW_ID, member_id: member_id, benefit_id: policy.benefit_id, type: policy.type, status: "GRANTED" })
COMMIT
CATCH transient_error:
// 可重试;不立即补偿
SCHEDULE_RETRY(saga_id)
RETURN
CATCH permanent_error:
HANDLE_COMPENSATION(saga_id, member_id, policy, reason="GRANT_FAILED")
RETURN
FUNCTION HANDLE_COMPENSATION(saga_id, member_id, policy, reason):
BEGIN TRANSACTION
issue = SELECT * FROM BenefitIssue WHERE saga_id=saga_id FOR UPDATE
IF issue EXISTS AND issue.status IN ("RESERVED", "PENDING"):
UPDATE BenefitIssue SET status="FAILED", updated_at=NOW WHERE id=issue.id
IF policy.type IN ("COUPON", "PACKAGE"):
UPDATE Benefit SET stock = stock + 1 WHERE id = policy.benefit_id // 释放库存
// 可选:回滚成长值(按策略)
IF policy.compensation_rolls_back_points == TRUE AND issue.idempotency_key EXISTS:
CALL points-service ReverseLedgerByKey(original_key=issue.idempotency_key, reason=reason)
COMMIT
- notification-service(消费 benefit.granted 并推送)
CONSUMER OnBenefitGranted(event from benefit.granted):
IF IsDuplicateEvent(event.event_id):
ACK; RETURN
message = FORMAT_MESSAGE(event.member_id, event.type, event.benefit_id)
result = SEND_TO_USER_CHANNEL(member_id=event.member_id, message=message)
RECORD_DELIVERY(member_id, event.issue_id, status=result.status, channel=result.channel, at=NOW)
ACK
API POST /members(body):
VALIDATE body.mobile FORMAT
BEGIN TRANSACTION
INSERT INTO Member(id=NEW_ID, mobile=MASK(body.mobile), tier=BASE_TIER, status="ACTIVE", updated_at=NOW)
WriteOutbox(event_type="member.created", aggregate_id=NEW_ID, payload={member_id: NEW_ID})
INSERT INTO AuditLog(...)
COMMIT
RETURN 201 { id: NEW_ID }
API GET /members/{id}:
AUTHN_MTLS_OR_HMAC()
member = SELECT * FROM Member WHERE id = id
RETURN 200 REDACT(member, fields=["audit_info"])
API GET /tiers:
RETURN SELECT * FROM Tier ORDER BY threshold ASC
API POST /benefits/grant { member_id, policy_id, idempotency_key }:
// 主动发放入口,走 Saga
IF EnsureIdempotency(scope="BENEFIT_GRANT_API", key=idempotency_key) == "RETRY_LATER":
RETURN 409 Retry
START_SAGA(saga_id=GENERATE_UUID(), member_id=member_id, policy=LOAD_POLICY(policy_id), change_event_id=idempotency_key)
CompleteIdempotency("BENEFIT_GRANT_API", idempotency_key, result_ref="STARTED")
RETURN 202 Accepted
SCHEDULED TASK ReconciliationDaily:
FOR each member IN Members:
ledger_sum = SELECT SUM(delta) FROM PointLedger WHERE member_id=member.id AND status IN ("POSTED", "COMPENSATION_POSTED")
IF ledger_sum != LAST_KNOWN_BALANCE(member.id):
ALERT "Ledger mismatch", member.id
CHECK_OUTBOX_STUCK(threshold_minutes=15)
CHECK_SAGA_FAILURE_RATE(window=1h, threshold=rate_limit)
CHECK_BENEFIT_STOCK_BELOW_MIN()
CONSUMER DeadLetterHandler(event from dead-letter):
CLASSIFY(event)
IF recoverable:
REPLAY(event)
ELSE:
CREATE_INCIDENT(event)
LOG_WITH_AUDIT(event)
FUNCTION IsDuplicateEvent(event_id):
RETURN EXISTS EventDedup WHERE event_id = event_id
CONSUMER INIT:
SET KafkaPartitionKey = member_id // 保证单会员内顺序一致
技术说明
- 规则引擎与成长值计算
- points-service 将订单金额、类别、时间等转换为成长值,支持权重和时间衰减(如近30日权重更高),以配置驱动(Tier.weight_model)。
- PointLedger 通过唯一约束(idempotency_key)保证接口幂等;每次写入更新冪等一致的 balance 快照,简化读取。
- Outbox 一致性与事件保证
- 在同一数据库事务中写业务数据与 Outbox,随后异步发布;避免“写库成功、发消息失败”的不一致。
- OutboxRelayer 提供重试与 DLQ 转移,事件带 event_id;消费者侧维护 EventDedup 集合去重,提供至少一次投递的幂等处理。
- Saga 编排与补偿
- 采用 benefits-service 内的 SagaManager 以实例级驱动发放流程,状态变化通过 BenefitIssue 状态机体现。
- 失败补偿包含:释放库存;标记 BenefitIssue 为 FAILED/COMPENSATED;可选触发 points-service 的反向账本(ReverseLedgerByKey),由策略配置决定是否“全链路补偿”。建议在“真实支付引发的积分”场景不回滚积分,避免违背交易事实;仅在误发/脏写场景回滚。
- 幂等与顺序
- 所有入口(orders.paid、/points/accrue、/benefits/grant)均要求 idempotency_key;幂等存储记录在 IdempotencyStore 并与业务对象唯一约束配合。
- Kafka 分区键使用 member_id,确保单会员事件顺序;跨服务通过事件去重保证处理幂等。
- 数据模型与索引建议
- PointLedger 索引:member_id+created_at、idempotency_key 唯一、source。
- BenefitIssue 索引:member_id、saga_id、idempotency_key 唯一、status。
- Outbox 索引:status+created_at;event_id 唯一。
- 安全与合规
- 服务间 mTLS 加密与双向认证;外部接口 HMAC 签名校验、限流与黑白名单。
- 审计日志记录重要操作(创建会员、发放权益、积分调整),敏感字段(mobile)按掩码存储与展示。
- 高可用与扩展性
- 各服务多副本部署;数据库主从或多 AZ;Kafka 多分区,以 member_id 为 key 扩展吞吐。
- 读写分离:成长值账本写入优先一致性,Member/Tier 读取可走只读副本。
- 观测与告警
- 指标:Outbox 未发送数量、平均发送延迟、DLQ 消息量、Saga 失败比率、库存告急阈值、对账差值、事件滞留时间。
- 告警在阈值越界时触发,并提供自动化重试/修复(如对账自动补发漏事件)。
- 运维与发布
- 定期对账任务核对账本与会员余额;死信队列监控与人工/自动重放。
- 灰度发布:按成员哈希或租户分配发布比例,监控关键指标后再扩大。
- 测试策略
- 幂等:重复 orders.paid 与 /points/accrue、/benefits/grant 请求,确保一次性效果。
- 等级边界:在门槛边界(=threshold±1)验证升级/不升级行为;有效期窗口切换时的等级回落/维持。
- 库存耗尽补偿:benefits-service 在 stock=0 时触发补偿,不产生 GRANTED 事件。
- 分片一致性:多分区 Kafka 下,同一 member_id 事件顺序性;跨区部署延迟与重放对账。
- 实现建议
- 事件模式采用“编排+编舞混合”:业务步骤靠事件编舞,失败补偿集中由 Saga 编排控制。
- 规则与策略尽量配置化(权重、窗口、阈值、发放策略、是否回滚积分),避免硬编码。
- 使用数据库事务锁(FOR UPDATE)保证库存扣减与发放记录一致,避免超发。
- 对 OutboxRelayer 使用逐条确认发布与幂等标记,确保故障恢复后不会重复投递造成副作用。
- 将所有事件载荷包含 idempotency_key 与 event_id,消费者侧以这两者作为去重与处理幂等依据。
