Add _retry_server_directed_only mode for Retry-After header compliance

sd-db · sd-db · commit df75ba18e246 · 2026-03-19T16:11:38.000+05:30
When enabled, the connector only retries on 429/503 if the server includes
a Retry-After header in the response. This prevents duplicate side effects
for non-idempotent ExecuteStatement operations where the server has not
explicitly signaled that retry is safe.

The new opt-in parameter `_retry_server_directed_only` threads through
ClientContext, all three DatabricksRetryPolicy construction sites (Thrift,
SEA, UnifiedHttpClient), and the retry policy's should_retry/is_retry
methods. Default behavior (retry without requiring the header) is unchanged.

Signed-off-by: Shubham Dhal &lt;shubham.dhal@databricks.com&gt;
diff --git a/src/databricks/sql/auth/common.py b/src/databricks/sql/auth/common.py
@@ -47,6 +47,7 @@ def __init__(
         retry_stop_after_attempts_duration: Optional[float] = None,
         retry_delay_default: Optional[float] = None,
         retry_dangerous_codes: Optional[List[int]] = None,
+        retry_server_directed_only: Optional[bool] = None,
         proxy_auth_method: Optional[str] = None,
         pool_connections: Optional[int] = None,
         pool_maxsize: Optional[int] = None,
@@ -79,6 +80,7 @@ def __init__(
         )
         self.retry_delay_default = retry_delay_default or 5.0
         self.retry_dangerous_codes = retry_dangerous_codes or []
+        self.retry_server_directed_only = bool(retry_server_directed_only)
         self.proxy_auth_method = proxy_auth_method
         self.pool_connections = pool_connections or 10
         self.pool_maxsize = pool_maxsize or 20
diff --git a/src/databricks/sql/auth/retry.py b/src/databricks/sql/auth/retry.py
@@ -94,6 +94,7 @@ def __init__(
         stop_after_attempts_duration: float,
         delay_default: float,
         force_dangerous_codes: List[int],
+        server_directed_only: bool = False,
         urllib3_kwargs: dict = {},
     ):
         # These values do not change from one command to the next
@@ -103,6 +104,7 @@ def __init__(
         self.stop_after_attempts_duration = stop_after_attempts_duration
         self._delay_default = delay_default
         self.force_dangerous_codes = force_dangerous_codes
+        self.server_directed_only = server_directed_only
 
         # the urllib3 kwargs are a mix of configuration (some of which we override)
         # and counters like `total` or `connect` which may change between successive retries
@@ -202,6 +204,7 @@ def new(
             stop_after_attempts_duration=self.stop_after_attempts_duration,
             delay_default=self.delay_default,
             force_dangerous_codes=self.force_dangerous_codes,
+            server_directed_only=self.server_directed_only,
             urllib3_kwargs={},
         )
 
@@ -323,7 +326,9 @@ def get_backoff_time(self) -> float:
 
         return proposed_backoff
 
-    def should_retry(self, method: str, status_code: int) -> Tuple[bool, str]:
+    def should_retry(
+        self, method: str, status_code: int, has_retry_after: bool = False
+    ) -> Tuple[bool, str]:
         """This method encapsulates the connector's approach to retries.
 
         We always retry a request unless one of these conditions is met:
@@ -381,6 +386,12 @@ def should_retry(self, method: str, status_code: int) -> Tuple[bool, str]:
         if not self._is_method_retryable(method):
             return False, "Only POST requests are retried"
 
+        # In server_directed_only mode, only retry when the server explicitly signals
+        # it's safe via a Retry-After header. This prevents duplicate side effects for
+        # non-idempotent operations.
+        if self.server_directed_only and not has_retry_after:
+            return (False, "server_directed_only mode: no Retry-After header present")
+
         # Request failed with 404 and was a GetOperationStatus. This is not recoverable. Don't retry.
         if status_code == 404 and self.command_type == CommandType.GET_OPERATION_STATUS:
             return (
@@ -450,7 +461,7 @@ def is_retry(
         Logs a debug message if the request will be retried
         """
 
-        should_retry, msg = self.should_retry(method, status_code)
+        should_retry, msg = self.should_retry(method, status_code, has_retry_after)
 
         if should_retry:
             logger.debug(msg)
diff --git a/src/databricks/sql/backend/sea/utils/http_client.py b/src/databricks/sql/backend/sea/utils/http_client.py
@@ -90,6 +90,9 @@ def __init__(
         )
         self._retry_delay_default = kwargs.get("_retry_delay_default", 5.0)
         self.force_dangerous_codes = kwargs.get("_retry_dangerous_codes", [])
+        self._retry_server_directed_only = kwargs.get(
+            "_retry_server_directed_only", False
+        )
 
         # Connection pooling settings
         self.max_connections = kwargs.get("max_connections", 10)
@@ -114,6 +117,7 @@ def __init__(
                 stop_after_attempts_duration=self._retry_stop_after_attempts_duration,
                 delay_default=self._retry_delay_default,
                 force_dangerous_codes=self.force_dangerous_codes,
+                server_directed_only=self._retry_server_directed_only,
                 urllib3_kwargs=urllib3_kwargs,
             )
         else:
diff --git a/src/databricks/sql/backend/thrift_backend.py b/src/databricks/sql/backend/thrift_backend.py
@@ -189,6 +189,9 @@ def __init__(
                 " This behaviour is deprecated and will be removed in a future release."
             )
         self.force_dangerous_codes = kwargs.get("_retry_dangerous_codes", [])
+        self._retry_server_directed_only = kwargs.get(
+            "_retry_server_directed_only", False
+        )
 
         additional_transport_args = {}
 
@@ -215,6 +218,7 @@ def __init__(
                 stop_after_attempts_duration=self._retry_stop_after_attempts_duration,
                 delay_default=self._retry_delay_default,
                 force_dangerous_codes=self.force_dangerous_codes,
+                server_directed_only=self._retry_server_directed_only,
                 urllib3_kwargs=urllib3_kwargs,
             )
 
diff --git a/src/databricks/sql/common/unified_http_client.py b/src/databricks/sql/common/unified_http_client.py
@@ -99,6 +99,7 @@ def _setup_pool_managers(self):
             stop_after_attempts_duration=self.config.retry_stop_after_attempts_duration,
             delay_default=self.config.retry_delay_default,
             force_dangerous_codes=self.config.retry_dangerous_codes,
+            server_directed_only=self.config.retry_server_directed_only,
         )
 
         # Initialize the required attributes that DatabricksRetryPolicy expects
diff --git a/src/databricks/sql/utils.py b/src/databricks/sql/utils.py
@@ -919,6 +919,7 @@ def build_client_context(server_hostname: str, version: str, **kwargs):
         ),
         retry_delay_default=kwargs.get("_retry_delay_default"),
         retry_dangerous_codes=kwargs.get("_retry_dangerous_codes"),
+        retry_server_directed_only=kwargs.get("_retry_server_directed_only"),
         proxy_auth_method=kwargs.get("_proxy_auth_method"),
         pool_connections=kwargs.get("_pool_connections"),
         pool_maxsize=kwargs.get("_pool_maxsize"),
diff --git a/tests/unit/test_retry.py b/tests/unit/test_retry.py
@@ -83,3 +83,123 @@ def test_excessive_retry_attempts_error(self, t_mock, retry_policy):
                 retry_policy.sleep(HTTPResponse(status=503))
                 # Internally urllib3 calls the increment function generating a new instance for every retry
                 retry_policy = retry_policy.increment()
+
+    @pytest.fixture()
+    def server_directed_retry_policy(self) -> DatabricksRetryPolicy:
+        return DatabricksRetryPolicy(
+            delay_min=1,
+            delay_max=30,
+            stop_after_attempts_count=3,
+            stop_after_attempts_duration=900,
+            delay_default=2,
+            force_dangerous_codes=[],
+            server_directed_only=True,
+        )
+
+    def test_server_directed_only__retries_with_retry_after(
+        self, server_directed_retry_policy
+    ):
+        """429 + Retry-After header → should retry"""
+        server_directed_retry_policy._retry_start_time = time.time()
+        server_directed_retry_policy.command_type = CommandType.OTHER
+        should_retry, msg = server_directed_retry_policy.should_retry(
+            "POST", 429, has_retry_after=True
+        )
+        assert should_retry is True
+
+    def test_server_directed_only__no_retry_without_retry_after(
+        self, server_directed_retry_policy
+    ):
+        """429 without Retry-After header → no retry"""
+        server_directed_retry_policy._retry_start_time = time.time()
+        server_directed_retry_policy.command_type = CommandType.OTHER
+        should_retry, msg = server_directed_retry_policy.should_retry(
+            "POST", 429, has_retry_after=False
+        )
+        assert should_retry is False
+        assert "server_directed_only" in msg
+
+    def test_server_directed_only__no_retry_503_without_header(
+        self, server_directed_retry_policy
+    ):
+        """503 without Retry-After header → no retry"""
+        server_directed_retry_policy._retry_start_time = time.time()
+        server_directed_retry_policy.command_type = CommandType.OTHER
+        should_retry, msg = server_directed_retry_policy.should_retry(
+            "POST", 503, has_retry_after=False
+        )
+        assert should_retry is False
+        assert "server_directed_only" in msg
+
+    def test_server_directed_only__overrides_dangerous_codes(self):
+        """force_dangerous_codes=[500] + no Retry-After → no retry in server_directed_only mode"""
+        policy = DatabricksRetryPolicy(
+            delay_min=1,
+            delay_max=30,
+            stop_after_attempts_count=3,
+            stop_after_attempts_duration=900,
+            delay_default=2,
+            force_dangerous_codes=[500],
+            server_directed_only=True,
+        )
+        policy._retry_start_time = time.time()
+        policy.command_type = CommandType.EXECUTE_STATEMENT
+        should_retry, msg = policy.should_retry("POST", 500, has_retry_after=False)
+        assert should_retry is False
+        assert "server_directed_only" in msg
+
+    def test_server_directed_only__non_retryable_codes_unaffected(
+        self, server_directed_retry_policy
+    ):
+        """401/403/501 still don't retry even with Retry-After header"""
+        server_directed_retry_policy._retry_start_time = time.time()
+        server_directed_retry_policy.command_type = CommandType.OTHER
+        for code in [401, 403, 501]:
+            should_retry, msg = server_directed_retry_policy.should_retry(
+                "POST", code, has_retry_after=True
+            )
+            assert should_retry is False, f"Code {code} should never retry"
+
+    def test_default_mode_unchanged(self, retry_policy):
+        """server_directed_only=False preserves existing behavior — 429 retries without header"""
+        retry_policy._retry_start_time = time.time()
+        retry_policy.command_type = CommandType.OTHER
+        should_retry, msg = retry_policy.should_retry(
+            "POST", 429, has_retry_after=False
+        )
+        assert should_retry is True
+
+    def test_server_directed_only__survives_new(self, server_directed_retry_policy):
+        """urllib3 calls .new() between retries to create a fresh policy instance.
+        Verify that server_directed_only is carried over and still enforced."""
+        server_directed_retry_policy._retry_start_time = time.time()
+        server_directed_retry_policy.command_type = CommandType.OTHER
+        new_policy = server_directed_retry_policy.new()
+        assert new_policy.server_directed_only is True
+        # The new instance should still block retries without Retry-After
+        should_retry, msg = new_policy.should_retry("POST", 429, has_retry_after=False)
+        assert should_retry is False
+        assert "server_directed_only" in msg
+
+    def test_server_directed_only__execute_statement_with_retry_after(
+        self, server_directed_retry_policy
+    ):
+        """EXECUTE_STATEMENT + 429 + Retry-After header → retry"""
+        server_directed_retry_policy._retry_start_time = time.time()
+        server_directed_retry_policy.command_type = CommandType.EXECUTE_STATEMENT
+        should_retry, msg = server_directed_retry_policy.should_retry(
+            "POST", 429, has_retry_after=True
+        )
+        assert should_retry is True
+
+    def test_404_does_not_retry_for_any_command_type(self, retry_policy):
+        """Test that 404 never retries for any CommandType"""
+        retry_policy._retry_start_time = time.time()
+
+        # Test for each CommandType
+        for command_type in CommandType:
+            retry_policy.command_type = command_type
+            should_retry, msg = retry_policy.should_retry("POST", 404)
+
+            assert should_retry is False, f"404 should not retry for {command_type}"
+            assert "404" in msg or "NOT_FOUND" in msg

Original file line number	Diff line number	Diff line change
`@@ -189,6 +189,9 @@ def __init__(`
`189`	`189`	`" This behaviour is deprecated and will be removed in a future release."`
`190`	`190`	`)`
`191`	`191`	`self.force_dangerous_codes = kwargs.get("_retry_dangerous_codes", [])`
	`192`	`+ self._retry_server_directed_only = kwargs.get(`
	`193`	`+ "_retry_server_directed_only", False`
	`194`	`+ )`
`192`	`195`
`193`	`196`	`additional_transport_args = {}`
`194`	`197`
`@@ -215,6 +218,7 @@ def __init__(`
`215`	`218`	`stop_after_attempts_duration=self._retry_stop_after_attempts_duration,`
`216`	`219`	`delay_default=self._retry_delay_default,`
`217`	`220`	`force_dangerous_codes=self.force_dangerous_codes,`
	`221`	`+ server_directed_only=self._retry_server_directed_only,`
`218`	`222`	`urllib3_kwargs=urllib3_kwargs,`
`219`	`223`	`)`
`220`	`224`
Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,7 @@ def _setup_pool_managers(self):`
`99`	`99`	`stop_after_attempts_duration=self.config.retry_stop_after_attempts_duration,`
`100`	`100`	`delay_default=self.config.retry_delay_default,`
`101`	`101`	`force_dangerous_codes=self.config.retry_dangerous_codes,`
	`102`	`+ server_directed_only=self.config.retry_server_directed_only,`
`102`	`103`	`)`
`103`	`104`
`104`	`105`	`# Initialize the required attributes that DatabricksRetryPolicy expects`