Retry on 403 for S3 put in certain environments (#115486)

This PR configures a new retry condition for s3 client so that it
retries on 403 for operations such as PUT in certain environments. Note
that 403 is already retried for GET due to S3RetryingInputStream.

Resolves: ES-9321

Author: ywangd

modules/repository-s3/src/internalClusterTest/java/org/elasticsearch/repositories/s3/S3BlobStoreRepositoryMetricsTests.java

@@ -19,6 +19,7 @@
 import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.collect.Iterators;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.core.Strings;
 import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.plugins.PluginsService;
@@ -53,11 +54,13 @@
 import static org.elasticsearch.repositories.RepositoriesMetrics.METRIC_THROTTLES_TOTAL;
 import static org.elasticsearch.repositories.RepositoriesMetrics.METRIC_UNSUCCESSFUL_OPERATIONS_TOTAL;
 import static org.elasticsearch.repositories.s3.S3RepositoriesMetrics.METRIC_DELETE_RETRIES_HISTOGRAM;
+import static org.elasticsearch.rest.RestStatus.FORBIDDEN;
 import static org.elasticsearch.rest.RestStatus.INTERNAL_SERVER_ERROR;
 import static org.elasticsearch.rest.RestStatus.NOT_FOUND;
 import static org.elasticsearch.rest.RestStatus.REQUESTED_RANGE_NOT_SATISFIED;
 import static org.elasticsearch.rest.RestStatus.SERVICE_UNAVAILABLE;
 import static org.elasticsearch.rest.RestStatus.TOO_MANY_REQUESTS;
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.lessThanOrEqualTo;
@@ -320,6 +323,51 @@ public void testRetrySnapshotDeleteMetricsWhenRetriesExhausted() {
         assertThat(longHistogramMeasurement.get(0).getLong(), equalTo(3L));
     }
 
+    public void testPutDoesNotRetryOn403InStateful() {
+        final Settings settings = internalCluster().getInstance(Settings.class);
+        assertThat(DiscoveryNode.isStateless(settings), equalTo(false));
+
+        final String repository = createRepository(randomRepositoryName());
+        final String dataNodeName = internalCluster().getNodeNameThat(DiscoveryNode::canContainData);
+        final TestTelemetryPlugin plugin = getPlugin(dataNodeName);
+        // Exclude snapshot related purpose to avoid trigger assertions for cross-checking purpose and blob names
+        final OperationPurpose purpose = randomFrom(
+            OperationPurpose.REPOSITORY_ANALYSIS,
+            OperationPurpose.CLUSTER_STATE,
+            OperationPurpose.INDICES,
+            OperationPurpose.TRANSLOG
+        );
+        final BlobContainer blobContainer = getBlobContainer(dataNodeName, repository);
+        final String blobName = randomIdentifier();
+
+        plugin.resetMeter();
+        addErrorStatus(new S3ErrorResponse(FORBIDDEN, Strings.format("""
+            <?xml version="1.0" encoding="UTF-8"?>
+            <Error>
+              <Code>InvalidAccessKeyId</Code>
+              <Message>The AWS Access Key Id you provided does not exist in our records.</Message>
+              <RequestId>%s</RequestId>
+            </Error>""", randomUUID())));
+
+        final var exception = expectThrows(IOException.class, () -> {
+            if (randomBoolean()) {
+                blobContainer.writeBlob(purpose, blobName, new BytesArray("blob"), randomBoolean());
+            } else {
+                blobContainer.writeMetadataBlob(
+                    purpose,
+                    blobName,
+                    randomBoolean(),
+                    randomBoolean(),
+                    outputStream -> outputStream.write("blob".getBytes())
+                );
+            }
+        });
+        assertThat(exception.getCause().getMessage(), containsString("InvalidAccessKeyId"));
+
+        assertThat(getLongCounterValue(plugin, METRIC_REQUESTS_TOTAL, Operation.PUT_OBJECT), equalTo(1L));
+        assertThat(getLongCounterValue(plugin, METRIC_EXCEPTIONS_TOTAL, Operation.PUT_OBJECT), equalTo(1L));
+    }
+
     private void addErrorStatus(RestStatus... statuses) {
         errorResponseQueue.addAll(Arrays.stream(statuses).map(S3ErrorResponse::new).toList());
     }

modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java

@@ -9,6 +9,7 @@
 
 package org.elasticsearch.repositories.s3;
 
+import com.amazonaws.AmazonServiceException;
 import com.amazonaws.ClientConfiguration;
 import com.amazonaws.SDKGlobalConfiguration;
 import com.amazonaws.auth.AWSCredentials;
@@ -20,13 +21,16 @@
 import com.amazonaws.auth.STSAssumeRoleWithWebIdentitySessionCredentialsProvider;
 import com.amazonaws.client.builder.AwsClientBuilder;
 import com.amazonaws.http.IdleConnectionReaper;
+import com.amazonaws.retry.PredefinedRetryPolicies;
+import com.amazonaws.retry.RetryPolicy;
 import com.amazonaws.services.s3.AmazonS3;
 import com.amazonaws.services.s3.AmazonS3ClientBuilder;
 import com.amazonaws.services.s3.internal.Constants;
 import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
 import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
 import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
 
+import org.apache.http.HttpStatus;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.ElasticsearchException;
@@ -193,7 +197,10 @@ AmazonS3 buildClient(final S3ClientSettings clientSettings) {
     protected AmazonS3ClientBuilder buildClientBuilder(S3ClientSettings clientSettings) {
         final AmazonS3ClientBuilder builder = AmazonS3ClientBuilder.standard();
         builder.withCredentials(buildCredentials(LOGGER, clientSettings, webIdentityTokenCredentialsProvider));
-        builder.withClientConfiguration(buildConfiguration(clientSettings));
+        final ClientConfiguration clientConfiguration = buildConfiguration(clientSettings, isStateless);
+        assert (isStateless == false && clientConfiguration.getRetryPolicy() == PredefinedRetryPolicies.DEFAULT)
+            || (isStateless && clientConfiguration.getRetryPolicy() == RETRYABLE_403_RETRY_POLICY) : "invalid retry policy configuration";
+        builder.withClientConfiguration(clientConfiguration);
 
         String endpoint = Strings.hasLength(clientSettings.endpoint) ? clientSettings.endpoint : Constants.S3_HOSTNAME;
         if ((endpoint.startsWith("http://") || endpoint.startsWith("https://")) == false) {
@@ -223,7 +230,7 @@ protected AmazonS3ClientBuilder buildClientBuilder(S3ClientSettings clientSettin
     }
 
     // pkg private for tests
-    static ClientConfiguration buildConfiguration(S3ClientSettings clientSettings) {
+    static ClientConfiguration buildConfiguration(S3ClientSettings clientSettings, boolean isStateless) {
         final ClientConfiguration clientConfiguration = new ClientConfiguration();
         // the response metadata cache is only there for diagnostics purposes,
         // but can force objects from every response to the old generation.
@@ -248,6 +255,10 @@ static ClientConfiguration buildConfiguration(S3ClientSettings clientSettings) {
         clientConfiguration.setUseThrottleRetries(clientSettings.throttleRetries);
         clientConfiguration.setSocketTimeout(clientSettings.readTimeoutMillis);
 
+        if (isStateless) {
+            clientConfiguration.setRetryPolicy(RETRYABLE_403_RETRY_POLICY);
+        }
+
         return clientConfiguration;
     }
 
@@ -504,4 +515,21 @@ interface SystemEnvironment {
     interface JvmEnvironment {
         String getProperty(String key, String defaultValue);
     }
+
+    static final RetryPolicy RETRYABLE_403_RETRY_POLICY = RetryPolicy.builder()
+        .withRetryCondition((originalRequest, exception, retriesAttempted) -> {
+            if (PredefinedRetryPolicies.DEFAULT_RETRY_CONDITION.shouldRetry(originalRequest, exception, retriesAttempted)) {
+                return true;
+            }
+            if (exception instanceof AmazonServiceException ase) {
+                return ase.getStatusCode() == HttpStatus.SC_FORBIDDEN && "InvalidAccessKeyId".equals(ase.getErrorCode());
+            }
+            return false;
+        })
+        .withBackoffStrategy(PredefinedRetryPolicies.DEFAULT_BACKOFF_STRATEGY)
+        .withMaxErrorRetry(PredefinedRetryPolicies.DEFAULT_MAX_ERROR_RETRY)
+        .withHonorMaxErrorRetryInClientConfig(true)
+        .withHonorDefaultMaxErrorRetryInRetryMode(true)
+        .withHonorDefaultBackoffStrategyInRetryMode(true)
+        .build();
 }

modules/repository-s3/src/test/java/org/elasticsearch/repositories/s3/AwsS3ServiceImplTests.java

@@ -17,6 +17,7 @@
 import com.amazonaws.auth.AWSStaticCredentialsProvider;
 import com.amazonaws.auth.BasicAWSCredentials;
 import com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper;
+import com.amazonaws.retry.PredefinedRetryPolicies;
 
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.util.Supplier;
@@ -211,7 +212,7 @@ private void launchAWSConfigurationTest(
     ) {
 
         final S3ClientSettings clientSettings = S3ClientSettings.getClientSettings(settings, "default");
-        final ClientConfiguration configuration = S3Service.buildConfiguration(clientSettings);
+        final ClientConfiguration configuration = S3Service.buildConfiguration(clientSettings, false);
 
         assertThat(configuration.getResponseMetadataCacheSize(), is(0));
         assertThat(configuration.getProtocol(), is(expectedProtocol));
@@ -222,6 +223,7 @@ private void launchAWSConfigurationTest(
         assertThat(configuration.getMaxErrorRetry(), is(expectedMaxRetries));
         assertThat(configuration.useThrottledRetries(), is(expectedUseThrottleRetries));
         assertThat(configuration.getSocketTimeout(), is(expectedReadTimeout));
+        assertThat(configuration.getRetryPolicy(), is(PredefinedRetryPolicies.DEFAULT));
     }
 
     public void testEndpointSetting() {

modules/repository-s3/src/test/java/org/elasticsearch/repositories/s3/S3ClientSettingsTests.java

@@ -194,9 +194,9 @@ public void testSignerOverrideCanBeSet() {
         );
         assertThat(settings.get("default").region, is(""));
         assertThat(settings.get("other").signerOverride, is(signerOverride));
-        ClientConfiguration defaultConfiguration = S3Service.buildConfiguration(settings.get("default"));
+        ClientConfiguration defaultConfiguration = S3Service.buildConfiguration(settings.get("default"), false);
         assertThat(defaultConfiguration.getSignerOverride(), nullValue());
-        ClientConfiguration configuration = S3Service.buildConfiguration(settings.get("other"));
+        ClientConfiguration configuration = S3Service.buildConfiguration(settings.get("other"), false);
         assertThat(configuration.getSignerOverride(), is(signerOverride));
     }
 
@@ -207,12 +207,18 @@ public void testMaxConnectionsCanBeSet() {
         );
         assertThat(settings.get("default").maxConnections, is(ClientConfiguration.DEFAULT_MAX_CONNECTIONS));
         assertThat(settings.get("other").maxConnections, is(maxConnections));
-        ClientConfiguration defaultConfiguration = S3Service.buildConfiguration(settings.get("default"));
+        ClientConfiguration defaultConfiguration = S3Service.buildConfiguration(settings.get("default"), false);
         assertThat(defaultConfiguration.getMaxConnections(), is(ClientConfiguration.DEFAULT_MAX_CONNECTIONS));
-        ClientConfiguration configuration = S3Service.buildConfiguration(settings.get("other"));
+        ClientConfiguration configuration = S3Service.buildConfiguration(settings.get("other"), false);
         assertThat(configuration.getMaxConnections(), is(maxConnections));
 
         // the default appears in the docs so let's make sure it doesn't change:
         assertEquals(50, ClientConfiguration.DEFAULT_MAX_CONNECTIONS);
     }
+
+    public void testStatelessDefaultRetryPolicy() {
+        final var s3ClientSettings = S3ClientSettings.load(Settings.EMPTY).get("default");
+        final var clientConfiguration = S3Service.buildConfiguration(s3ClientSettings, true);
+        assertThat(clientConfiguration.getRetryPolicy(), is(S3Service.RETRYABLE_403_RETRY_POLICY));
+    }
 }

modules/repository-s3/src/test/java/org/elasticsearch/repositories/s3/S3ServiceTests.java

@@ -8,23 +8,23 @@
  */
 package org.elasticsearch.repositories.s3;
 
+import com.amazonaws.AmazonWebServiceRequest;
+import com.amazonaws.services.s3.model.AmazonS3Exception;
+
 import org.elasticsearch.cluster.metadata.RepositoryMetadata;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.watcher.ResourceWatcherService;
-import org.mockito.Mockito;
 
 import java.io.IOException;
 
+import static org.mockito.Mockito.mock;
+
 public class S3ServiceTests extends ESTestCase {
 
     public void testCachedClientsAreReleased() throws IOException {
-        final S3Service s3Service = new S3Service(
-            Mockito.mock(Environment.class),
-            Settings.EMPTY,
-            Mockito.mock(ResourceWatcherService.class)
-        );
+        final S3Service s3Service = new S3Service(mock(Environment.class), Settings.EMPTY, mock(ResourceWatcherService.class));
         final Settings settings = Settings.builder().put("endpoint", "http://first").build();
         final RepositoryMetadata metadata1 = new RepositoryMetadata("first", "s3", settings);
         final RepositoryMetadata metadata2 = new RepositoryMetadata("second", "s3", settings);
@@ -41,4 +41,25 @@ public void testCachedClientsAreReleased() throws IOException {
         final S3ClientSettings clientSettingsReloaded = s3Service.settings(metadata1);
         assertNotSame(clientSettings, clientSettingsReloaded);
     }
+
+    public void testRetryOn403RetryPolicy() {
+        final AmazonS3Exception e = new AmazonS3Exception("error");
+        e.setStatusCode(403);
+        e.setErrorCode("InvalidAccessKeyId");
+
+        // Retry on 403 invalid access key id
+        assertTrue(
+            S3Service.RETRYABLE_403_RETRY_POLICY.getRetryCondition().shouldRetry(mock(AmazonWebServiceRequest.class), e, between(0, 9))
+        );
+
+        // Not retry if not 403 or not invalid access key id
+        if (randomBoolean()) {
+            e.setStatusCode(randomValueOtherThan(403, () -> between(0, 600)));
+        } else {
+            e.setErrorCode(randomAlphaOfLength(10));
+        }
+        assertFalse(
+            S3Service.RETRYABLE_403_RETRY_POLICY.getRetryCondition().shouldRetry(mock(AmazonWebServiceRequest.class), e, between(0, 9))
+        );
+    }
 }