Andrea Cosentino created CAMEL-24191:
----------------------------------------
Summary: camel-aws2-kinesis: KCL consumer ignores session
credentials and mishandles checkpoint/error handling
Key: CAMEL-24191
URL: https://issues.apache.org/jira/browse/CAMEL-24191
Project: Camel
Issue Type: Bug
Components: camel-aws2-kinesis
Reporter: Andrea Cosentino
Assignee: Andrea Cosentino
Fix For: 4.14.9, 4.22.0, 4.18.4
Split out of CAMEL-24156 (deep review of the AWS components). Two defects in
the KCL-based Kinesis consumer (KclKinesis2Consumer):
1. *Session credentials are silently ignored.* In both the DynamoDB and
CloudWatch async-client builders the branch order tests {{accessKey &&
secretKey}} before {{accessKey && secretKey && sessionToken}}. The first branch
always matches when access/secret keys are set, so the session-token branch is
unreachable and the DynamoDB/CloudWatch clients never use STS temporary
credentials — they fail when only session credentials are valid. Code:
KclKinesis2Consumer.java ~lines 94-133.
2. *Checkpoint/error handling loses or reprocesses data.* processRecords wraps
the per-record processing in {{catch (Throwable t)}} that logs a message
*without* the exception (no stack trace) and does not rethrow; the scheduler
then proceeds and later checkpoints at shard end / shutdown, so records that
failed to process are checkpointed past (data loss). There is no checkpoint
after successful processing, so a crash reprocesses the whole lease. Code:
KclKinesis2Consumer.java ~lines 193-232.
Fix direction: reorder the credential branches so the session-token branch is
reachable (both builders); log the processing exception with its stack trace
and stop swallowing it; checkpoint after a batch is processed successfully and
avoid checkpointing past a failed batch.
Present on camel-4.18.x and camel-4.14.x; backport to both.
Found during an agent-assisted audit of the AWS components; verified against
the cited code.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)