You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

684 lines
31 KiB

  1. # ADR 075: RPC Event Subscription Interface
  2. ## Changelog
  3. - 26-Jan-2022: Marked accepted.
  4. - 22-Jan-2022: Updated and expanded (@creachadair).
  5. - 20-Nov-2021: Initial draft (@creachadair).
  6. ---
  7. ## Status
  8. Accepted
  9. ---
  10. ## Background & Context
  11. For context, see [RFC 006: Event Subscription][rfc006].
  12. The [Tendermint RPC service][rpc-service] permits clients to subscribe to the
  13. event stream generated by a consensus node. This allows clients to observe the
  14. state of the consensus network, including details of the consensus algorithm
  15. state machine, proposals, transaction delivery, and block completion. The
  16. application may also attach custom key-value attributes to events to expose
  17. application-specific details to clients.
  18. The event subscription API in the RPC service currently comprises three methods:
  19. 1. `subscribe`: A request to subscribe to the events matching a specific
  20. [query expression][query-grammar]. Events can be filtered by their key-value
  21. attributes, including custom attributes provided by the application.
  22. 2. `unsubscribe`: A request to cancel an existing subscription based on its
  23. query expression.
  24. 3. `unsubscribe_all`: A request to cancel all existing subscriptions belonging
  25. to the client.
  26. There are some important technical and UX issues with the current RPC event
  27. subscription API. The rest of this ADR outlines these problems in detail, and
  28. proposes a new API scheme intended to address them.
  29. ### Issue 1: Persistent connections
  30. To subscribe to a node's event stream, a client needs a persistent connection
  31. to the node. Unlike the other methods of the service, for which each call is
  32. serviced by a short-lived HTTP round trip, subscription delivers a continuous
  33. stream of events to the client by hijacking the HTTP channel for a websocket.
  34. The stream (and hence the HTTP request) persists until either the subscription
  35. is explicitly cancelled, or the connection is closed.
  36. There are several problems with this API:
  37. 1. **Expensive per-connection state**: The server must maintain a substantial
  38. amount of state per subscriber client:
  39. - The current implementation uses a [WebSocket][ws] for each active
  40. subscriber. The connection must be maintained even if there are no
  41. matching events for a given client.
  42. The server can drop idle connections to save resources, but doing so
  43. terminates all subscriptions on those connections and forces those clients
  44. to re-connect, adding additional resource churn for the server.
  45. - In addition, the server maintains a separate buffer of undelivered events
  46. for each client. This is to reduce the dual risks that a client will miss
  47. events, and that a slow client could "push back" on the publisher,
  48. impeding the progress of consensus.
  49. Because event traffic is quite bursty, queues can potentially take up a
  50. lot of memory. Moreover, each subscriber may have a different filter
  51. query, so the server winds up having to duplicate the same events among
  52. multiple subscriber queues. Not only does this add memory pressure, but it
  53. does so most at the worst possible time, i.e., when the server is already
  54. under load from high event traffic.
  55. 2. **Operational access control is difficult**: The server's websocket
  56. interface exposes _all_ the RPC service endpoints, not only the subscription
  57. methods. This includes methods that allow callers to inject arbitrary
  58. transactions (`broadcast_tx_*`) and evidence (`broadcast_evidence`) into the
  59. network, remove transactions (`remove_tx`), and request arbitrary amounts of
  60. chain state.
  61. Filtering requests to the GET endpoint is straightforward: A reverse proxy
  62. like [nginx][nginx] can easily filter methods by URL path. Filtering POST
  63. requests takes a bit more work, but can be managed with a filter program
  64. that speaks [FastCGI][fcgi] and parses JSON-RPC request bodies.
  65. Filtering the websocket interface requires a dedicated proxy implementation.
  66. Although nginx can [reverse-proxy websockets][rp-ws], it does not support
  67. filtering websocket traffic via FastCGI. The operator would need to either
  68. implement a custom [nginx extension module][ng-xm] or build and run a
  69. standalone proxy that implements websocket and filters each session. Apart
  70. from the work, this also makes the system even more resource intensive, as
  71. well as introducing yet another connection that could potentially time out
  72. or stall on full buffers.
  73. Even for the simple case of restricting access to only event subscription,
  74. there is no easy solution currently: Once a caller has access to the
  75. websocket endpoint, it has complete access to the RPC service.
  76. ### Issue 2: Inconvenient client API
  77. The subscription interface has some inconvenient features for the client as
  78. well as the server. These include:
  79. 1. **Non-standard protocol:** The RPC service is mostly [JSON-RPC 2.0][jsonrpc2],
  80. but the subscription interface diverges from the standard.
  81. In a standard JSON-RPC 2.0 call, the client initiates a request to the
  82. server with a unique ID, and the server concludes the call by sending a
  83. reply for that ID. The `subscribe` implementation, however, sends multiple
  84. responses to the client's request:
  85. - The client sends `subscribe` with some ID `x` and the desired query
  86. - The server responds with ID `x` and an empty confirmation response.
  87. - The server then (repeatedly) sends event result responses with ID `x`, one
  88. for each item with a matching event.
  89. Standard JSON-RPC clients will reject the subsequent replies, as they
  90. announce a request ID (`x`) that is already complete. This means a caller
  91. has to implement Tendermint-specific handling for these responses.
  92. Moreover, the result format is different between the initial confirmation
  93. and the subsequent responses. This means a caller has to implement special
  94. logic for decoding the first response versus the subsequent ones.
  95. 2. **No way to detect data loss:** The subscriber connection can be terminated
  96. for many reasons. Even ignoring ordinary network issues (e.g., packet loss):
  97. - The server will drop messages and/or close the websocket if its write
  98. buffer fills, or if the queue of undelivered matching events is not
  99. drained fast enough. The client has no way to discover that messages were
  100. dropped even if the connection remains open.
  101. - Either the client or the server may close the websocket if the websocket
  102. PING and PONG exchanges are not handled correctly, or frequently enough.
  103. Even if correctly implemented, this may fail if the system is under high
  104. load and cannot service those control messages in a timely manner.
  105. When the connection is terminated, the server drops all the subscriptions
  106. for that client (as if it had called `unsubscribe_all`). Even if the client
  107. reconnects, any events that were published during the period between the
  108. disconnect and re-connect and re-subscription will be silently lost, and the
  109. client has no way to discover that it missed some relevant messages.
  110. 3. **No way to replay old events:** Even if a client knew it had missed some
  111. events (due to a disconnection, for example), the API provides no way for
  112. the client to "play back" events it may have missed.
  113. 4. **Large response sizes:** Some event data can be quite large, and there can
  114. be substantial duplication across items. The API allows the client to select
  115. _which_ events are reported, but has no way to control which parts of a
  116. matching event it wishes to receive.
  117. This can be costly on the server (which has to marshal those data into
  118. JSON), the network, and the client (which has to unmarshal the result and
  119. then pick through for the components that are relevant to it).
  120. Besides being inefficient, this also contributes to some of the persistent
  121. connection issues mentioned above, e.g., filling up the websocket write
  122. buffer and forcing the server to queue potentially several copies of a large
  123. value in memory.
  124. 5. **Client identity is tied to network address:** The Tendermint event API
  125. identifies each subscriber by a (Client ID, Query) pair. In the RPC service,
  126. the query is provided by the client, but the client ID is set to the TCP
  127. address of the client (typically "host:port" or "ip:port").
  128. This means that even if the server did _not_ drop subscriptions immediately
  129. when the websocket connection is closed, a client may not be able to
  130. reattach to its existing subscription. Dialing a new connection is likely
  131. to result in a different port (and, depending on their own proxy setup,
  132. possibly a different public IP).
  133. In isolation, this problem would be easy to work around with a new
  134. subscription parameter, but it would require several other changes to the
  135. handling of event subscriptions for that workaround to become useful.
  136. ---
  137. ## Decision
  138. (pending)
  139. To address the described problems, we will:
  140. 1. Introduce a new API for event subscription to the Tendermint RPC service.
  141. The proposed API is described in [Detailed Design](#detailed-design) below.
  142. 2. This new API will target the Tendermint v0.36 release, during which the
  143. current ("streaming") API will remain available as-is, but deprecated.
  144. 3. The streaming API will be entirely removed in release v0.37, which will
  145. require all users of event subscription to switch to the new API.
  146. > **Point for discussion:** Given that ABCI++ and PBTS are the main priorities
  147. > for v0.36, it would be fine to slip the first phase of this work to v0.37.
  148. > Unless there is a time problem, however, the proposed design does not disrupt
  149. > the work on ABCI++ or PBTS, and will not increase the scope of breaking
  150. > changes. Therefore the plan is to begin in v0.36 and slip only if necessary.
  151. ---
  152. ## Detailed Design
  153. ### Design Goals
  154. Specific goals of this design include:
  155. 1. Remove the need for a persistent connection to each subscription client.
  156. Subscribers should use the same HTTP request flow for event subscription
  157. requests as for other RPC calls.
  158. 2. The server retains minimal state (possibly none) per-subscriber. In
  159. particular:
  160. - The server does not buffer unconsumed writes nor queue undelivered events
  161. on a per-client basis.
  162. - A client that stalls or goes idle does not cost the server any resources.
  163. - Any event data that is buffered or stored is shared among _all_
  164. subscribers, and is not duplicated per client.
  165. 3. Slow clients have no impact (or minimal impact) on the rate of progress of
  166. the consensus algorithm, beyond the ambient overhead of servicing individual
  167. RPC requests.
  168. 4. Clients can tell when they have missed events matching their subscription,
  169. within some reasonable (configurable) window of time, and can "replay"
  170. events within that window to catch up.
  171. 5. Nice to have: It should be easy to use the event subscription API from
  172. existing standard tools and libraries, including command-line use for
  173. testing and experimentation.
  174. ### Definitions
  175. - The **event stream** of a node is a single, time-ordered, heterogeneous
  176. stream of event items.
  177. - Each **event item** comprises an **event datum** (for example, block header
  178. metadata for a new-block event), and zero or more optional **events**.
  179. - An **event** means the [ABCI `Event` data type][abci-event], which comprises
  180. a string type and zero or more string key-value **event attributes**.
  181. The use of the new terms "event item" and "event datum" is to avert confusion
  182. between the values that are published to the event bus (what we call here
  183. "event items") and the ABCI `Event` data type.
  184. - The node assigns each event item a unique identifier string called a
  185. **cursor**. A cursor must be unique among all events published by a single
  186. node, but it is not required to be unique globally across nodes.
  187. Cursors are time-ordered so that given event items A and B, if A was
  188. published before B, then cursor(A) < cursor(B) in lexicographic order.
  189. A minimum viable cursor implementation is a tuple consisting of a timestamp
  190. and a sequence number (e.g., `16CCC798FB5F4670-0123`). However, it may also
  191. be useful to append basic type information to a cursor, to allow efficient
  192. filtering (e.g., `16CCC87E91869050-0091:BeginBlock`).
  193. The initial implementation will use the minimum viable format.
  194. ### Discussion
  195. The node maintains an **event log**, a shared ordered record of the events
  196. published to its event bus within an operator-configurable time window. The
  197. initial implementation will store the event log in-memory, and the operator
  198. will be given two per-node configuration settings. Note, these names are
  199. provisional:
  200. - `[event-subscription] time-window`: A duration before present during which the
  201. node will retain event items published. Setting this value to zero disables
  202. event subscription.
  203. - `[event-subscription] max-items`: A maximum number of event items that the
  204. node will retain within the time window. If the number of items exceeds this
  205. value, the node discardes the oldest items in the window. Setting this value
  206. to zero means that no limit is imposed on the number of items.
  207. The node will retain all events within the time window, provided they do not
  208. exceed the maximum number. These config parameters allow the operator to
  209. loosely regulate how much memory and storage the node allocates to the event
  210. log. The client can use the server reply to tell whether the events it wants
  211. are still available from the event log.
  212. The event log is shared among all subscribers to the node.
  213. > **Discussion point:** Should events persist across node restarts?
  214. >
  215. > The current event API does not persist events across restarts, so this new
  216. > design does not either. Note, however, that we may "spill" older event data
  217. > to disk as a way of controlling memory use. Such usage is ephemeral, however,
  218. > and does not need to be tracked as node data (e.g., it could be temp files).
  219. ### Query API
  220. To retrieve event data, the client will call the (new) RPC method `events`.
  221. The parameters of this method will correspond to the following Go types:
  222. ```go
  223. type EventParams struct {
  224. // Optional filter spec. If nil or empty, all items are eligible.
  225. Filter *Filter `json:"filter"`
  226. // The maximum number of eligible results to return.
  227. // If zero or negative, the server will report a default number.
  228. MaxResults int `json:"max_results"`
  229. // Return only items after this cursor. If empty, the limit is just
  230. // before the the beginning of the event log.
  231. After string `json:"after_item"`
  232. // Return only items before this cursor. If empty, the limit is just
  233. // after the head of the event log.
  234. Before string `json:"before_item"`
  235. // Wait for up to this long for events to be available.
  236. WaitTime time.Duration `json:"wait_time"`
  237. }
  238. type Filter struct {
  239. Query string `json:"query"`
  240. }
  241. ```
  242. > **Discussion point:** The initial implementation will not cache filter
  243. > queries for the client. If this turns out to be a performance issue in
  244. > production, the service can keep a small shared cache of compiled queries.
  245. > Given the improvements from #7319 et seq., this should not be necessary.
  246. > **Discussion point:** For the initial implementation, the new API will use
  247. > the existing query language as-is. Future work may extend the Filter message
  248. > with a more structured and/or expressive query surface, but that is beyond
  249. > the scope of this design.
  250. The semantics of the request are as follows: An item in the event log is
  251. **eligible** for a query if:
  252. - It is newer than the `after_item` cursor (if set).
  253. - It is older than the `before_item` cursor (if set).
  254. - It matches the filter (if set).
  255. Among the eligible items in the log, the server returns up to `max_results` of
  256. the newest items, in reverse order of cursor. If `max_results` is unset the
  257. server chooses a number to return, and will cap `max_results` at a sensible
  258. limit.
  259. The `wait_time` parameter is used to effect polling. If `before_item` is empty,
  260. the server will wait for up to `wait_time` for additional items, if there are
  261. fewer than `max_results` eligible results in the log. If `wait_time` is zero,
  262. the server will return whatever eligible items are available immediately.
  263. If `before_item` non-empty, `wait_time` is ignored: new results are only added
  264. to the head of the log, so there is no need to wait. This allows the client to
  265. poll for new data, and "page" backward through matching event items. This is
  266. discussed in more detail below.
  267. The server will set a sensible cap on the maximum `wait_time`, overriding
  268. client-requested intervals longer than that.
  269. A successful reply from the `events` request corresponds to the following Go
  270. types:
  271. ```go
  272. type EventReply struct {
  273. // The items matching the request parameters, from newest
  274. // to oldest, if any were available within the timeout.
  275. Items []*EventItem `json:"items"`
  276. // This is true if there is at least one older matching item
  277. // available in the log that was not returned.
  278. More bool `json:"more"`
  279. // The cursor of the oldest item in the log at the time of this reply,
  280. // or "" if the log is empty.
  281. Oldest string `json:"oldest_item"`
  282. // The cursor of the newest item in the log at the time of this reply,
  283. // or "" if the log is empty.
  284. Newest string `json:"newest_item"`
  285. }
  286. type EventItem struct {
  287. // The cursor of this item.
  288. Cursor string `json:"cursor"`
  289. // The encoded event data for this item.
  290. // The type identifies the structure of the value.
  291. Data struct {
  292. Type string `json:"type"`
  293. Value json.RawMessage `json:"value"`
  294. } `json:"data"`
  295. }
  296. ```
  297. The `oldest_item` and `newest_item` fields of the reply report the cursors of
  298. the oldest and newest items (of any kind) recorded in the event log at the time
  299. of the reply, or are `""` if the log is empty.
  300. The `data` field contains the type-specific event datum, and `events` contain
  301. the ABCI events, if any were defined.
  302. > **Discussion point**: Based on [issue #7273][i7273], I did not include a
  303. > separate field in the response for the ABCI events, since it duplicates data
  304. > already stored elsewhere in the event data.
  305. The semantics of the reply are as follows:
  306. - If `items` is non-empty:
  307. - Items are ordered from newest to oldest.
  308. - If `more` is true, there is at least one additional, older item in the
  309. event log that was not returned (in excess of `max_results`).
  310. In this case the client can fetch the next page by setting `before_item`
  311. in a new request, to the cursor of the oldest item fetched (i.e., the
  312. last one in `items`).
  313. - Otherwise (if `more` is false), all the matching results have been
  314. reported (pagination is complete).
  315. - The first element of `items` identifies the newest item considered.
  316. Subsequent poll requests can set `after_item` to this cursor to skip
  317. items that were already retrieved.
  318. - If `items` is empty:
  319. - If the `before_item` was set in the request, there are no further
  320. eligible items for this query in the log (pagination is complete).
  321. This is just a safety case; the client can detect this without issuing
  322. another call by consulting the `more` field of the previous reply.
  323. - If the `before_item` was empty in the request, no eligible items were
  324. available before the `wait_time` expired. The client may poll again to
  325. wait for more event items.
  326. A client can store cursor values to detect data loss and to recover from
  327. crashes and connectivity issues:
  328. - After a crash, the client requests events after the newest cursor it has
  329. seen. If the reply indicates that cursor is no longer in range, the client
  330. may (conservatively) conclude some event data may have been lost.
  331. - On the other hand, if it _is_ in range, the client can then page back through
  332. the results that it missed, and then resume polling. As long as its recovery
  333. cursor does not age out before it finishes, the client can be sure it has all
  334. the relevant results.
  335. ### Other Notes
  336. - The new API supports two general "modes" of operation:
  337. 1. In ordinary operation, clients will **long-poll** the head of the event
  338. log for new events matching their criteria (by setting a `wait_time` and
  339. no `before_item`).
  340. 2. If there are more events than the client requested, or if the client needs
  341. to to read older events to recover from a stall or crash , clients will
  342. **page** backward through the event log (by setting `before_item` and
  343. possibly `after_item`).
  344. - While the new API requires explicit polling by the client, it makes better
  345. use of the node's existing HTTP infrastructure (e.g., connection pools).
  346. Moreover, the direct implementation is easier to use from standard tools and
  347. client libraries for HTTP and JSON-RPC.
  348. Explicit polling does shift the burden of timeliness to the client. That is
  349. arguably preferable, however, given that the RPC service is ancillary to the
  350. node's primary goal, viz., consensus. The details of polling can be easily
  351. hidden from client applications with simple libraries.
  352. - The format of a cursor is considered opaque to the client. Clients must not
  353. parse cursor values, but they may rely on their ordering properties.
  354. - To maintain the event log, the server must prune items outside the time
  355. window and in excess of the item limit.
  356. The initial implementation will do this by checking the tail of the event log
  357. after each new item is published. If the number of items in the log exceeds
  358. the item limit, it will delete oldest items until the log is under the limit;
  359. then discard any older than the time window before present.
  360. To minimize coordination interference between the publisher (the event bus)
  361. and the subcribers (the `events` service handlers), the event log will be
  362. stored as a persistent linear queue with shared structure (a cons list). A
  363. single reader-writer mutex will guard the "head" of the queue where new
  364. items are published:
  365. - **To publish a new item**, the publisher acquires the write lock, conses a
  366. new item to the front of the existing queue, and replaces the head pointer
  367. with the new item.
  368. - **To scan the queue**, a reader acquires the read lock, captures the head
  369. pointer, and then releases the lock. The rest of its request can be served
  370. without holding a lock, since the queue structure will not change.
  371. When a reader wants to wait, it will yield the lock and wait on a condition
  372. that is signaled when the publisher swings the pointer.
  373. - **To prune the queue**, the publisher (who is the sole writer) will track
  374. the queue length and the age of the oldest item separately. When the
  375. length and or age exceed the configured bounds, it will construct a new
  376. queue spine on the same items, discarding out-of-band values.
  377. Pruning can be done while the publisher already holds the write lock, or
  378. could be done outside the lock entirely: Once the new queue is constructed,
  379. the lock can be re-acquired to swing the pointer. This costs some extra
  380. allocations for the cons cells, but avoids duplicating any event items.
  381. The pruning step is a simple linear scan down the first (up to) max-items
  382. elements of the queue, to find the breakpoint of age and length.
  383. Moreover, the publisher can amortize the cost of pruning by item count, if
  384. necessary, by pruning length "more aggressively" than the configuration
  385. requires (e.g., reducing to 3/4 of the maximum rather than 1/1).
  386. The state of the event log before the publisher acquires the lock:
  387. ![Before publish and pruning](./img/adr-075-log-before.png)
  388. After the publisher has added a new item and pruned old ones:
  389. ![After publish and pruning](./img/adr-075-log-after.png)
  390. ### Migration Plan
  391. This design requires that clients eventually migrate to the new event
  392. subscription API, but provides a full release cycle with both APIs in place to
  393. make this burden more tractable. The migration strategy is broadly:
  394. **Phase 1**: Release v0.36.
  395. - Implement the new `events` endpoint, keeping the existing methods as they are.
  396. - Update the Go clients to support the new `events` endpoint, and handle polling.
  397. - Update the old endpoints to log annoyingly about their own deprecation.
  398. - Write tutorials about how to migrate client usage.
  399. At or shortly after release, we should proactively update the Cosmos SDK to use
  400. the new API, to remove a disincentive to upgrading.
  401. **Phase 2**: Release v0.37
  402. - During development, we should actively seek out any existing users of the
  403. streaming event subscription API and help them migrate.
  404. - Possibly also: Spend some time writing clients for JS, Rust, et al.
  405. - Release: Delete the old implementation and all the websocket support code.
  406. > **Discussion point**: Even though the plan is to keep the existing service,
  407. > we might take the opportunity to restrict the websocket endpoint to _only_
  408. > the event streaming service, removing the other endpoints. To minimize the
  409. > disruption for users in the v0.36 cycle, I have decided not to do this for
  410. > the first phase.
  411. >
  412. > If we wind up pushing this design into v0.37, however, we should re-evaulate
  413. > this partial turn-down of the websocket.
  414. ### Future Work
  415. - This design does not immediately address the problem of allowing the client
  416. to control which data are reported back for event items. That concern is
  417. deferred to future work. However, it would be straightforward to extend the
  418. filter and/or the request parameters to allow more control.
  419. - The node currently stores a subset of event data (specifically the block and
  420. transaction events) for use in reindexing. While these data are redundant
  421. with the event log described in this document, they are not sufficient to
  422. cover event subscription, as they omit other event types.
  423. In the future we should investigate consolidating or removing event data from
  424. the state store entirely. For now this issue is out of scope for purposes of
  425. updating the RPC API. We may be able to piggyback on the database unification
  426. plans (see [RFC 001][rfc001]) to store the event log separately, so its
  427. pruning policy does not need to be tied to the block and state stores.
  428. - This design reuses the existing filter query language from the old API. In
  429. the future we may want to use a more structured and/or expressive query. The
  430. Filter object can be extended with more fields as needed to support this.
  431. - Some users have trouble communicating with the RPC service because of
  432. configuration problems like improperly-set CORS policies. While this design
  433. does not address those issues directly, we might want to revisit how we set
  434. policies in the RPC service to make it less susceptible to confusing errors
  435. caused by misconfiguration.
  436. ---
  437. ## Consequences
  438. - ✅ Reduces the number of transport options for RPC. Supports [RFC 002][rfc002].
  439. - ️✅ Removes the primary non-standard use of JSON-RPC.
  440. - ⛔️ Forces clients to migrate to a different API (eventually).
  441. - ↕️ API requires clients to poll, but this reduces client state on the server.
  442. - ↕️ We have to maintain both implementations for a whole release, but this
  443. gives clients time to migrate.
  444. ---
  445. ## Alternative Approaches
  446. The following alternative approaches were considered:
  447. 1. **Leave it alone.** Since existing tools mostly already work with the API as
  448. it stands today, we could leave it alone and do our best to improve its
  449. performance and reliability.
  450. Based on many issues reported by users and node operators (e.g.,
  451. [#3380][i3380], [#6439][i6439], [#6729][i6729], [#7247][i7247]), the
  452. problems described here affect even the existing use that works. Investing
  453. further incremental effort in the existing API is unlikely to address these
  454. issues.
  455. 2. **Design a better streaming API.** Instead of polling, we might try to
  456. design a better "streaming" API for event subscription.
  457. A significant advantage of switching away from streaming is to remove the
  458. need for persistent connections between the node and subscribers. A new
  459. streaming protocol design would lose that advantage, and would still need a
  460. way to let clients recover and replay.
  461. This approach might look better if we decided to use a different protocol
  462. for event subscription, say gRPC instead of JSON-RPC. That choice, however,
  463. would be just as breaking for existing clients, for marginal benefit.
  464. Moreover, this option increases both the complexity and the resource cost on
  465. the node implementation.
  466. Given that resource consumption and complexity are important considerations,
  467. this option was not chosen.
  468. 3. **Defer to an external event broker.** We might remove the entire event
  469. subscription infrastructure from the node, and define an optional interface
  470. to allow the node to publish all its events to an external event broker,
  471. such as Apache Kafka.
  472. This has the advantage of greatly simplifying the node, but at a great cost
  473. to the node operator: To enable event subscription in this design, the
  474. operator has to stand up and maintain a separate process in communion with
  475. the node, and configuration changes would have to be coordinated across
  476. both.
  477. Moreover, this approach would be highly disruptive to existing client use,
  478. and migration would probably require switching to third-party libraries.
  479. Despite the potential benefits for the node itself, the costs to operators
  480. and clients seems too large for this to be the best option.
  481. Publishing to an external event broker might be a worthwhile future project,
  482. if there is any demand for it. That decision is out of scope for this design,
  483. as it interacts with the design of the indexer as well.
  484. ---
  485. ## References
  486. - [RFC 006: Event Subscription][rfc006]
  487. - [Tendermint RPC service][rpc-service]
  488. - [Event query grammar][query-grammar]
  489. - [RFC 6455: The WebSocket protocol][ws]
  490. - [JSON-RPC 2.0 Specification][jsonrpc2]
  491. - [Nginx proxy server][nginx]
  492. - [Proxying websockets][rp-ws]
  493. - [Extension modules][ng-xm]
  494. - [FastCGI][fcgi]
  495. - [RFC 001: Storage Engines & Database Layer][rfc001]
  496. - [RFC 002: Interprocess Communication in Tendermint][rfc002]
  497. - Issues:
  498. - [rpc/client: test that client resubscribes upon disconnect][i3380] (#3380)
  499. - [Too high memory usage when creating many events subscriptions][i6439] (#6439)
  500. - [Tendermint emits events faster than clients can pull them][i6729] (#6729)
  501. - [indexer: unbuffered event subscription slow down the consensus][i7247] (#7247)
  502. - [rpc: remove duplication of events when querying][i7273] (#7273)
  503. [rfc006]: https://github.com/tendermint/tendermint/blob/master/docs/rfc/rfc-006-event-subscription.md
  504. [rpc-service]: https://docs.tendermint.com/master/rpc
  505. [query-grammar]: https://pkg.go.dev/github.com/tendermint/tendermint@master/internal/pubsub/query/syntax
  506. [ws]: https://datatracker.ietf.org/doc/html/rfc6455
  507. [jsonrpc2]: https://www.jsonrpc.org/specification
  508. [nginx]: https://nginx.org/en/docs/
  509. [fcgi]: http://www.mit.edu/~yandros/doc/specs/fcgi-spec.html
  510. [rp-ws]: https://nginx.org/en/docs/http/websocket.html
  511. [ng-xm]: https://www.nginx.com/resources/wiki/extending/
  512. [abci-event]: https://pkg.go.dev/github.com/tendermint/tendermint/abci/types#Event
  513. [rfc001]: https://github.com/tendermint/tendermint/blob/master/docs/rfc/rfc-001-storage-engine.rst
  514. [rfc002]: https://github.com/tendermint/tendermint/blob/master/docs/rfc/rfc-002-ipc-ecosystem.md
  515. [i3380]: https://github.com/tendermint/tendermint/issues/3380
  516. [i6439]: https://github.com/tendermint/tendermint/issues/6439
  517. [i6729]: https://github.com/tendermint/tendermint/issues/6729
  518. [i7247]: https://github.com/tendermint/tendermint/issues/7247
  519. [i7273]: https://github.com/tendermint/tendermint/issues/7273