fix: mitigate STS assume role throttling in Kafka buffer (#6634)

Prevent excessive STS AssumeRole calls when customers delete their IAM
role or misconfigure the trust policy. Previously, one pipeline could
generate 12,000 STS calls in 4 minutes due to unbounded retries of
non-retryable AccessDeniedException errors.

Changes:
- KafkaSecurityConfigurer: Fail fast on STS 403 (AccessDenied) in getBootStrapServersForMsk() instead of retrying 360 times
- KafkaSecurityConfigurer: Replace fixed 10s retry sleep with exponential backoff (10s to 10min max) for retryable STS and Kafka errors
- KafkaCustomConsumer: Replace fixed 10s retry with exponential backoff using Kafka's ExponentialBackoff (10s to 10min max) for AuthenticationException errors
- KafkaCustomConsumer: Use Duration constants for backoff readability
- KafkaCustomConsumer: Reset backoff counter on successful poll to handle transient errors gracefully
Add exponential backoff to outer run() exception handler

Signed-off-by: Dinu John <86094133+dinujoh@users.noreply.github.com>

* chore: remove unused imports from KafkaSecurityConfigurerTest

Signed-off-by: Dinu John <86094133+dinujoh@users.noreply.github.com>

* refactor: address review comments - use Kafka ExponentialBackoff, Duration constants, remove silent shutdown

Signed-off-by: Dinu John <86094133+dinujoh@users.noreply.github.com>

---------

Signed-off-by: Dinu John <86094133+dinujoh@users.noreply.github.com>

Author: dinujoh

data-prepper-plugins/kafka-plugins/src/main/java/org/opensearch/dataprepper/plugins/kafka/consumer/KafkaCustomConsumer.java

@@ -25,6 +25,7 @@
 import org.apache.kafka.common.TopicPartition;
 import org.apache.kafka.common.errors.AuthenticationException;
 import org.apache.kafka.common.errors.RebalanceInProgressException;
+import org.apache.kafka.common.utils.ExponentialBackoff;
 import org.apache.kafka.common.errors.RecordDeserializationException;
 import org.apache.kafka.common.header.Header;
 import org.apache.kafka.common.header.Headers;
@@ -75,6 +76,8 @@ public class KafkaCustomConsumer implements Runnable, ConsumerRebalanceListener
     private static final Logger LOG = LoggerFactory.getLogger(KafkaCustomConsumer.class);
     private static final Long COMMIT_OFFSET_INTERVAL_MS = 300000L;
     private static final int RETRY_ON_EXCEPTION_SLEEP_MS = 1000;
+    static final Duration INITIAL_BACKOFF = Duration.ofSeconds(10);
+    static final Duration MAX_BACKOFF = Duration.ofMinutes(10);
     private static final int BUFFER_WRITE_TIMEOUT = 2000;
     static final String DEFAULT_KEY = "message";
 
@@ -104,6 +107,8 @@ public class KafkaCustomConsumer implements Runnable, ConsumerRebalanceListener
     private final LogRateLimiter errLogRateLimiter;
     private final ByteDecoder byteDecoder;
     private final long maxRetriesOnException;
+    private final ExponentialBackoff exponentialBackoff;
+    private long authFailureAttempts;
     private final Map<Integer, Long> partitionToLastReceivedTimestampMillis;
     private final CompressionOption compressionConfig;
     private final boolean invokeCallbackOnExpiry;
@@ -146,6 +151,8 @@ public KafkaCustomConsumer(final KafkaConsumer consumer,
         this.lastCommitTime = System.currentTimeMillis();
         this.numberOfAcksPending = new AtomicInteger(0);
         this.errLogRateLimiter = new LogRateLimiter(2, System.currentTimeMillis());
+        this.exponentialBackoff = new ExponentialBackoff(INITIAL_BACKOFF.toMillis(), 2, MAX_BACKOFF.toMillis(), 0);
+        this.authFailureAttempts = 0;
         this.compressionConfig = (compressionConfig == null) ? CompressionOption.NONE : compressionConfig;
     }
 
@@ -227,6 +234,7 @@ <T> ConsumerRecords<String, T> doPoll() throws Exception {
     <T> void consumeRecords() throws Exception {
         try {
             ConsumerRecords<String, T> records = doPoll();
+            resetAuthBackoff();
             LOG.debug("Consumed records with count {}", records.count());
             if (Objects.nonNull(records) && !records.isEmpty() && records.count() > 0) {
                 Map<TopicPartition, CommitOffsetRange> offsets = new HashMap<>();
@@ -246,9 +254,13 @@ <T> void consumeRecords() throws Exception {
                 }
             }
         } catch (AuthenticationException e) {
-            LOG.warn("Authentication error while doing poll(). Will retry after 10 seconds", e);
+            authFailureAttempts++;
+            long backoffMs = exponentialBackoff.backoff(authFailureAttempts - 1);
             topicMetrics.getNumberOfPollAuthErrors().increment();
-            Thread.sleep(10000);
+            LOG.warn("Authentication error while doing poll() for topic {} (failure count: {}). " +
+                    "Will retry after {} ms. Verify that the IAM role exists and trust policy is correct.",
+                    topicName, authFailureAttempts, backoffMs, e);
+            sleepMillis(backoffMs);
         } catch (RecordDeserializationException e) {
             LOG.warn("Deserialization error - topic {} partition {} offset {}. Error message: {}",
                     e.topicPartition().topic(), e.topicPartition().partition(), e.offset(), e.getMessage());
@@ -272,6 +284,15 @@ <T> void consumeRecords() throws Exception {
         }
     }
 
+    private void resetAuthBackoff() {
+        authFailureAttempts = 0;
+    }
+
+    @VisibleForTesting
+    void sleepMillis(long millis) throws InterruptedException {
+        Thread.sleep(millis);
+    }
+
     private void addAcknowledgedOffsets(final TopicPartition topicPartition, final Range<Long> offsetRange) {
         final int partitionId = topicPartition.partition();
         final TopicPartitionCommitTracker commitTracker = partitionCommitTrackerMap.get(partitionId);
@@ -394,12 +415,14 @@ public void run() {
         });
 
         boolean retryingAfterException = false;
+        long outerRetryAttempts = 0;
         while (!shutdownInProgress.get()) {
             LOG.debug("Still running Kafka consumer in start of loop");
             try {
                 if (retryingAfterException) {
-                    LOG.debug("Pause consuming from Kafka topic due a previous exception.");
-                    Thread.sleep(10000);
+                    long backoffMs = exponentialBackoff.backoff(outerRetryAttempts - 1);
+                    LOG.debug("Pause consuming from Kafka topic due a previous exception. Backoff: {} ms", backoffMs);
+                    Thread.sleep(backoffMs);
                 } else if (pauseConsumePredicate.pauseConsuming()) {
                     LOG.debug("Pause and skip consuming from Kafka topic due to an external condition: {}", pauseConsumePredicate);
                     paused = true;
@@ -421,9 +444,12 @@ public void run() {
                 topicMetrics.update(consumer);
                 LOG.debug("Updated consumer metrics");
                 retryingAfterException = false;
+                outerRetryAttempts = 0;
             } catch (Exception exp) {
-                LOG.error("Error while reading the records from the topic {}. Retry after 10 seconds", topicName, exp);
+                long backoffMs = exponentialBackoff.backoff(outerRetryAttempts);
+                LOG.error("Error while reading the records from the topic {}. Retry after {} ms", topicName, backoffMs, exp);
                 retryingAfterException = true;
+                outerRetryAttempts++;
             }
         }
         LOG.info("Shutting down, number of acks pending = {}", numberOfAcksPending.get());

data-prepper-plugins/kafka-plugins/src/main/java/org/opensearch/dataprepper/plugins/kafka/util/KafkaSecurityConfigurer.java

@@ -23,6 +23,9 @@
 import org.opensearch.dataprepper.plugins.kafka.configuration.ScramAuthConfig;
 import org.apache.kafka.clients.consumer.ConsumerConfig;
 
+import org.apache.kafka.common.utils.ExponentialBackoff;
+import java.time.Duration;
+
 import software.amazon.awssdk.services.kafka.KafkaClient;
 import software.amazon.awssdk.services.kafka.model.GetBootstrapBrokersRequest;
 import software.amazon.awssdk.services.kafka.model.GetBootstrapBrokersResponse;
@@ -287,17 +290,33 @@ public static String getBootStrapServersForMsk(final AwsConfig awsConfig,
                         .clusterArn(awsMskConfig.getArn())
                         .build();
 
+        final ExponentialBackoff backoff = new ExponentialBackoff(
+                Duration.ofSeconds(10).toMillis(), 2, Duration.ofMinutes(10).toMillis(), 0);
         int numRetries = 0;
         boolean retryable;
         GetBootstrapBrokersResponse result = null;
         do {
             retryable = false;
             try {
                 result = kafkaClient.getBootstrapBrokers(request);
-            } catch (KafkaException | StsException e) {
-                log.info("Failed to get bootstrap server information from MSK. Will try every 10 seconds for {} seconds", 10*MAX_KAFKA_CLIENT_RETRIES, e);
+            } catch (StsException e) {
+                if (e.statusCode() == 403) {
+                    throw new RuntimeException("Access denied when calling STS to get bootstrap server information from MSK. " +
+                            "Verify that the role exists and the trust policy is correctly configured.", e);
+                }
+                long backoffMs = backoff.backoff(numRetries);
+                log.info("Failed to get bootstrap server information from MSK due to STS error. Retrying after {} ms (attempt {}/{})",
+                        backoffMs, numRetries + 1, MAX_KAFKA_CLIENT_RETRIES, e);
+                try {
+                    Thread.sleep(backoffMs);
+                } catch (InterruptedException exp) {}
+                retryable = true;
+            } catch (KafkaException e) {
+                long backoffMs = backoff.backoff(numRetries);
+                log.info("Failed to get bootstrap server information from MSK due to Kafka error. Retrying after {} ms (attempt {}/{})",
+                        backoffMs, numRetries + 1, MAX_KAFKA_CLIENT_RETRIES, e);
                 try {
-                    Thread.sleep(10000);
+                    Thread.sleep(backoffMs);
                 } catch (InterruptedException exp) {}
                 retryable = true;
             } catch (Exception e) {

data-prepper-plugins/kafka-plugins/src/test/java/org/opensearch/dataprepper/plugins/kafka/consumer/KafkaCustomConsumerTest.java

@@ -21,6 +21,7 @@
 import org.apache.kafka.clients.consumer.OffsetAndMetadata;
 import org.apache.kafka.common.TopicPartition;
 import org.apache.kafka.common.errors.RebalanceInProgressException;
+import org.apache.kafka.common.errors.AuthenticationException;
 import org.apache.kafka.common.errors.RecordDeserializationException;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeEach;
@@ -32,6 +33,7 @@
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.mockito.junit.jupiter.MockitoSettings;
+import org.mockito.ArgumentCaptor;
 import org.mockito.quality.Strictness;
 import org.opensearch.dataprepper.core.acknowledgements.DefaultAcknowledgementSetManager;
 import org.opensearch.dataprepper.model.CheckpointState;
@@ -65,15 +67,20 @@
 
 import static org.awaitility.Awaitility.await;
 import static org.hamcrest.CoreMatchers.equalTo;
+import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.hasEntry;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.ArgumentMatchers.anyLong;
 import static org.mockito.ArgumentMatchers.anyMap;
 import static org.mockito.Mockito.doAnswer;
 import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.doNothing;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
@@ -159,6 +166,7 @@ public void setUp() throws JsonProcessingException {
         when(topicMetrics.getNumberOfRecordsCommitted()).thenReturn(counter);
         when(topicMetrics.getNumberOfDeserializationErrors()).thenReturn(counter);
         when(topicMetrics.getNumberOfInvalidTimeStamps()).thenReturn(counter);
+        when(topicMetrics.getNumberOfPollAuthErrors()).thenReturn(counter);
         when(topicConfig.getThreadWaitingTime()).thenReturn(Duration.ofSeconds(1));
         when(topicConfig.getSerdeFormat()).thenReturn(MessageFormat.PLAINTEXT);
         when(topicConfig.getAutoCommit()).thenReturn(false);
@@ -694,6 +702,87 @@ public void testCommitOffsets_OtherException_ClearsOffsets() throws Exception {
             "Offsets should be cleared after non-rebalance exception");
     }
 
+    @Test
+    public void testConsumeRecords_AuthenticationException_IncrementsCounterAndUsesBackoff() throws Exception {
+        String topic = topicConfig.getName();
+        Counter authErrorCounter = mock(Counter.class);
+        when(topicMetrics.getNumberOfPollAuthErrors()).thenReturn(authErrorCounter);
+        when(topicConfig.getMaxPollInterval()).thenReturn(Duration.ofMillis(60000));
+
+        AuthenticationException authException = new AuthenticationException("Auth failed");
+        when(kafkaConsumer.poll(any(Duration.class))).thenThrow(authException);
+
+        consumer = spy(createObjectUnderTest("plaintext", false));
+        doNothing().when(consumer).sleepMillis(anyLong());
+        consumer.onPartitionsAssigned(List.of(new TopicPartition(topic, testPartition)));
+
+        consumer.consumeRecords();
+
+        verify(authErrorCounter, times(1)).increment();
+        verify(consumer).sleepMillis(KafkaCustomConsumer.INITIAL_BACKOFF.toMillis());
+    }
+
+    @Test
+    public void testConsumeRecords_MultipleAuthFailures_UsesExponentialBackoff() throws Exception {
+        String topic = topicConfig.getName();
+        Counter authErrorCounter = mock(Counter.class);
+        when(topicMetrics.getNumberOfPollAuthErrors()).thenReturn(authErrorCounter);
+        when(topicConfig.getMaxPollInterval()).thenReturn(Duration.ofMillis(60000));
+
+        AuthenticationException authException = new AuthenticationException("Auth failed");
+        when(kafkaConsumer.poll(any(Duration.class))).thenThrow(authException);
+
+        consumer = spy(createObjectUnderTest("plaintext", false));
+        doNothing().when(consumer).sleepMillis(anyLong());
+        consumer.onPartitionsAssigned(List.of(new TopicPartition(topic, testPartition)));
+
+        consumer.consumeRecords();
+        consumer.consumeRecords();
+        consumer.consumeRecords();
+
+        Assertions.assertFalse(shutdownInProgress.get(),
+                "Consumer should not shut down on auth failures");
+        ArgumentCaptor<Long> sleepCaptor = ArgumentCaptor.forClass(Long.class);
+        verify(consumer, times(3)).sleepMillis(sleepCaptor.capture());
+        List<Long> sleepValues = sleepCaptor.getAllValues();
+        assertThat(sleepValues.get(0), is(KafkaCustomConsumer.INITIAL_BACKOFF.toMillis()));
+        assertThat(sleepValues.get(1), is(KafkaCustomConsumer.INITIAL_BACKOFF.toMillis() * 2));
+        assertThat(sleepValues.get(2), is(KafkaCustomConsumer.INITIAL_BACKOFF.toMillis() * 4));
+    }
+
+    @Test
+    public void testConsumeRecords_SuccessfulPollResetsAuthFailureCounter() throws Exception {
+        String topic = topicConfig.getName();
+        Counter authErrorCounter = mock(Counter.class);
+        when(topicMetrics.getNumberOfPollAuthErrors()).thenReturn(authErrorCounter);
+        when(topicConfig.getMaxPollInterval()).thenReturn(Duration.ofMillis(60000));
+
+        AuthenticationException authException = new AuthenticationException("Auth failed");
+        consumerRecords = createPlainTextRecords(topic, 0L);
+
+        when(kafkaConsumer.poll(any(Duration.class)))
+                .thenThrow(authException)
+                .thenThrow(authException)
+                .thenReturn(consumerRecords);
+
+        consumer = spy(createObjectUnderTest("plaintext", false));
+        doNothing().when(consumer).sleepMillis(anyLong());
+        consumer.onPartitionsAssigned(List.of(new TopicPartition(topic, testPartition)));
+
+        consumer.consumeRecords(); // auth failure 1
+        consumer.consumeRecords(); // auth failure 2
+        consumer.consumeRecords(); // success - resets backoff
+
+        // Next auth failure should use initial backoff again
+        when(kafkaConsumer.poll(any(Duration.class))).thenThrow(authException);
+        consumer.consumeRecords(); // auth failure after reset
+
+        ArgumentCaptor<Long> sleepCaptor = ArgumentCaptor.forClass(Long.class);
+        verify(consumer, times(3)).sleepMillis(sleepCaptor.capture());
+        List<Long> sleepValues = sleepCaptor.getAllValues();
+        assertThat(sleepValues.get(2), is(KafkaCustomConsumer.INITIAL_BACKOFF.toMillis()));
+    }
+
     private ConsumerRecords createPlainTextRecords(String topic, final long startOffset) {
         Map<TopicPartition, List<ConsumerRecord>> records = new HashMap<>();
         ConsumerRecord<String, String> record1 = new ConsumerRecord<>(topic, testPartition, startOffset, testKey1, testValue1);

data-prepper-plugins/kafka-plugins/src/test/java/org/opensearch/dataprepper/plugins/kafka/util/KafkaSecurityConfigurerTest.java

@@ -33,6 +33,7 @@
 import software.amazon.awssdk.services.kafka.model.GetBootstrapBrokersResponse;
 import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider;
 import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
+import software.amazon.awssdk.services.sts.model.StsException;
 
 import java.io.FileReader;
 import java.io.IOException;
@@ -55,6 +56,7 @@
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.mockStatic;
+import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.when;
@@ -218,6 +220,71 @@ public void testSetAuthPropertiesBootstrapServersOverrideByMSK() throws IOExcept
                 is("software.amazon.msk.auth.iam.IAMClientCallbackHandler"));
     }
 
+    @Test
+    public void testGetBootStrapServersForMsk_StsException403_ThrowsImmediately() throws IOException {
+        final Properties props = new Properties();
+        final KafkaSourceConfig kafkaSourceConfig = createKafkaSinkConfig("kafka-pipeline-bootstrap-servers-override-by-msk.yaml");
+        final KafkaClientBuilder kafkaClientBuilder = mock(KafkaClientBuilder.class);
+        final KafkaClient kafkaClient = mock(KafkaClient.class);
+        when(kafkaClientBuilder.credentialsProvider(any())).thenReturn(kafkaClientBuilder);
+        when(kafkaClientBuilder.region(any(Region.class))).thenReturn(kafkaClientBuilder);
+        when(kafkaClientBuilder.build()).thenReturn(kafkaClient);
+
+        final StsException stsException = (StsException) StsException.builder()
+                .statusCode(403)
+                .message("Access Denied")
+                .build();
+
+        when(kafkaClient.getBootstrapBrokers(any(GetBootstrapBrokersRequest.class)))
+                .thenThrow(stsException);
+
+        try (MockedStatic<KafkaClient> mockedKafkaClient = mockStatic(KafkaClient.class)) {
+            mockedKafkaClient.when(KafkaClient::builder).thenReturn(kafkaClientBuilder);
+
+            RuntimeException thrown = org.junit.jupiter.api.Assertions.assertThrows(
+                    RuntimeException.class,
+                    () -> KafkaSecurityConfigurer.setAuthProperties(props, kafkaSourceConfig, LOG)
+            );
+
+            assertThat(thrown.getMessage(), is("Access denied when calling STS to get bootstrap server information from MSK. " +
+                    "Verify that the role exists and the trust policy is correctly configured."));
+
+            verify(kafkaClient, times(1)).getBootstrapBrokers(any(GetBootstrapBrokersRequest.class));
+        }
+    }
+
+    @Test
+    public void testGetBootStrapServersForMsk_StsExceptionNon403_Retries() throws IOException {
+        final String testMSKEndpoint = "test-endpoint:9098";
+        final Properties props = new Properties();
+        final KafkaSourceConfig kafkaSourceConfig = createKafkaSinkConfig("kafka-pipeline-bootstrap-servers-override-by-msk.yaml");
+        final KafkaClientBuilder kafkaClientBuilder = mock(KafkaClientBuilder.class);
+        final KafkaClient kafkaClient = mock(KafkaClient.class);
+        when(kafkaClientBuilder.credentialsProvider(any())).thenReturn(kafkaClientBuilder);
+        when(kafkaClientBuilder.region(any(Region.class))).thenReturn(kafkaClientBuilder);
+        when(kafkaClientBuilder.build()).thenReturn(kafkaClient);
+
+        final StsException stsException = (StsException) StsException.builder()
+                .statusCode(500)
+                .message("Internal Server Error")
+                .build();
+
+        final GetBootstrapBrokersResponse response = mock(GetBootstrapBrokersResponse.class);
+        when(response.bootstrapBrokerStringSaslIam()).thenReturn(testMSKEndpoint);
+
+        when(kafkaClient.getBootstrapBrokers(any(GetBootstrapBrokersRequest.class)))
+                .thenThrow(stsException)
+                .thenReturn(response);
+
+        try (MockedStatic<KafkaClient> mockedKafkaClient = mockStatic(KafkaClient.class)) {
+            mockedKafkaClient.when(KafkaClient::builder).thenReturn(kafkaClientBuilder);
+            KafkaSecurityConfigurer.setAuthProperties(props, kafkaSourceConfig, LOG);
+        }
+
+        assertThat(props.getProperty("bootstrap.servers"), is(testMSKEndpoint));
+        verify(kafkaClient, times(2)).getBootstrapBrokers(any(GetBootstrapBrokersRequest.class));
+    }
+
     @Test
     public void testSetAuthPropertiesMskWithSaslPlain() throws IOException {
         final String testMSKEndpoint = UUID.randomUUID().toString();