最终的一致性是这里的关键。

选择其中一个服务作为事件的主要处理程序。 该服务将处理单个提交的原始事件。 主处理程序将负责将次要效果异步地传递给其他服务。 主处理程序将对其他服务调用进行编排。

指挥官负责分布式事务并进行控制。它知道要执行的指令，并协调执行它们。在大多数情况下，只有两条指令，但它可以处理多条指令。

指挥官负责保证所有指令的执行，这意味着退休。 当指挥官试图执行远程更新而没有得到响应时，它没有重试。 通过这种方式，系统可以配置为更不容易出现故障，并自我修复。

当我们进行重试时，我们有幂等性。 幂等性是这样一种性质，即可以做某事两次，最终结果与只做一次一样。 我们需要远程服务或数据源上的幂等性，以便在它多次接收指令的情况下，它只处理一次指令。

最终一致性 这解决了大多数分布式事务的挑战，但是我们需要考虑以下几点。 每一个失败的事务都将被重试，尝试重试的数量取决于上下文。

一致性是最终的，即在重试期间系统处于不一致的状态，例如，如果客户订购了一本书，并支付了费用，然后更新了库存数量。如果库存更新操作失败，并且假设这是最后一个可用的库存，那么在库存更新的重试操作成功之前，这本书仍然可用。重试成功后，您的系统将保持一致。

恕我直言，微服务架构的一个关键方面是事务被限制在单个微服务中(单一责任原则)。

在当前示例中，User创建将是一个自己的事务。用户创建将把USER_CREATED事件推入事件队列。钱包服务将订阅USER_CREATED事件并创建钱包。

如果我的钱包只是用户在同一个sql数据库中的另一组记录，那么我可能会将用户和钱包的创建代码放在同一个服务中，并使用正常的数据库事务设施进行处理。

在我看来，你是在问，当钱包创建代码要求你接触另一个或多个系统时会发生什么?我认为这完全取决于创建过程的复杂性和风险。

如果只是涉及到另一个可靠的数据存储(比如一个不能参与sql事务的数据存储)，那么根据整个系统参数，我可能愿意冒第二次写入不会发生的小概率风险。我可能什么也不做，只是引发一个异常，并通过补偿事务或甚至一些特别方法处理不一致的数据。就像我总是告诉开发者的那样:“如果这类事情发生在应用中，它不会被忽视。”

随着钱包创建的复杂性和风险的增加，您必须采取措施来改善所涉及的风险。假设有些步骤需要调用多个合作伙伴api。

此时，您可能会引入消息队列以及部分构造的用户和/或钱包的概念。

确保实体最终被正确构造的一个简单而有效的策略是让作业重试，直到它们成功为止，但这在很大程度上取决于应用程序的用例。

我也会仔细思考为什么我的配置过程中有一个容易失败的步骤。

为什么不使用支持脚本/编程的API管理(APIM)平台?因此，您将能够在APIM中构建复合服务，而不会干扰微服务。为此，我使用APIGEE进行设计。

This is a classic question I was asked during an interview recently How to call multiple web services and still preserve some kind of error handling in the middle of the task. Today, in high performance computing, we avoid two phase commits. I read a paper many years ago about what was called the "Starbuck model" for transactions: Think about the process of ordering, paying, preparing and receiving the coffee you order at Starbuck... I oversimplify things but a two phase commit model would suggest that the whole process would be a single wrapping transaction for all the steps involved until you receive your coffee. However, with this model, all employees would wait and stop working until you get your coffee. You see the picture ?

相反，“星巴克模式”通过遵循“尽最大努力”模式并补偿过程中的错误，更有成效。首先，他们会确保你付钱!然后，将您的订单附加到杯子上的消息队列。如果在这个过程中出现了问题，比如你没有拿到你的咖啡，这不是你点的东西，等等，我们会进入赔偿过程，我们会确保你得到你想要的东西或退款给你，这是提高生产力的最有效的模式。

有时，星巴克浪费了一杯咖啡，但整个过程是高效的。在构建web服务时，还有其他一些技巧需要考虑，比如将它们设计成可以被任意次调用并且仍然提供相同的最终结果。所以我的建议是:

Don't be too fine when defining your web services (I am not convinced about the micro-service hype happening these days: too many risks of going too far); Async increases performance so prefer being async, send notifications by email whenever possible. Build more intelligent services to make them "recallable" any number of times, processing with an uid or taskid that will follow the order bottom-top until the end, validating business rules in each step; Use message queues (JMS or others) and divert to error handling processors that will apply operations to "rollback" by applying opposite operations, by the way, working with async order will require some sort of queue to validate the current state of the process, so consider that; In last resort, (since it may not happen often), put it in a queue for manual processing of errors.

让我们回到最初的问题。创建一个账户，创建一个钱包，确保一切都完成了。

假设调用一个web服务来编排整个操作。

web服务的伪代码如下所示:

Call Account creation microservice, pass it some information and a some unique task id 1.1 Account creation microservice will first check if that account was already created. A task id is associated with the account's record. The microservice detects that the account does not exist so it creates it and stores the task id. NOTE: this service can be called 2000 times, it will always perform the same result. The service answers with a "receipt that contains minimal information to perform an undo operation if required". Call Wallet creation, giving it the account ID and task id. Let's say a condition is not valid and the wallet creation cannot be performed. The call returns with an error but nothing was created. The orchestrator is informed of the error. It knows it needs to abort the Account creation but it will not do it itself. It will ask the wallet service to do it by passing its "minimal undo receipt" received at the end of step 1. The Account service reads the undo receipt and knows how to undo the operation; the undo receipt may even include information about another microservice it could have called itself to do part of the job. In this situation, the undo receipt could contain the Account ID and possibly some extra information required to perform the opposite operation. In our case, to simplify things, let's say is simply delete the account using its account id. Now, let's say the web service never received the success or failure (in this case) that the Account creation's undo was performed. It will simply call the Account's undo service again. And this service should normaly never fail because its goal is for the account to no longer exist. So it checks if it exists and sees nothing can be done to undo it. So it returns that the operation is a success. The web service returns to the user that the account could not be created.

This is a synchronous example. We could have managed it in a different way and put the case into a message queue targeted to the help desk if we don't want the system to completly recover the error". I've seen this being performed in a company where not enough hooks could be provided to the back end system to correct situations. The help desk received messages containing what was performed successfully and had enough information to fix things just like our undo receipt could be used for in a fully automated way.

我已经进行了搜索，微软网站对这种方法有一个模式描述。它被称为补偿事务模式:

补偿事务模式

一个简单的解决方案是使用用户服务创建用户，并使用消息总线，其中用户服务发出其事件，钱包服务在消息总线上注册，监听用户创建的事件并为用户创建钱包。同时，如果用户进入钱包UI查看他的钱包，检查用户是否刚刚创建，并显示您的钱包正在创建中，请过一段时间再检查