Adithya-Shetty100 opened a new pull request, #19617: URL: https://github.com/apache/druid/pull/19617
### Description `S3Utils.S3RETRY` classifies a transient TLS/transport read failure as non-retriable when the `SSLException` wraps a non-`IOException` cause. A segment pull from S3 (`S3DataSegmentPuller.getSegmentFiles` -> `CompressionUtils.unzip`, retried via `RetryUtils.retry(..., S3Utils.S3RETRY, ...)`) can fail mid-stream with `javax.net.ssl.SSLException: Tag mismatch!` caused by `javax.crypto.AEADBadTagException` — a corrupted TLS record failing AES-GCM authentication during the HTTPS GET. This is a transient transport error; a fresh `getObject` (which `S3DataSegmentPuller` already opens per retry via its `ByteSource`) would almost certainly succeed. `SSLException` is an `IOException`, but it has a cause, so `S3RETRY` recurses into the cause (`AEADBadTagException`, a `GeneralSecurityException`), which matches none of the retriable branches and returns `false`. The segment load is therefore not retried. Under MSQ this surfaces as a non-retriable `UnknownError` and aborts the entire multi-stage query — a single transient corrupted TLS record on one worker can fail a large multi-worker SELECT. This change classifies `SSLException` as retriable, ahead of the generic `IOException` branch. It mirrors the targeted-signature approach of #11941 (which added retry for the `SdkClientException` "Data read has a different length than the expected" dropped-connection case). Fixes #19616. ### Release note Retry S3 reads that fail with a transient `SSLException` (e.g. a TLS "Tag mismatch") instead of treating them as terminal. <hr> This PR has: - [x] been self-reviewed. - [x] added unit tests covering the new behavior (`S3UtilsTest#testRetryWithSslExceptionWrappingAeadBadTag`). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
