You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

683 lines
31 KiB

  1. # ADR 075: RPC Event Subscription Interface
  2. ## Changelog
  3. - 22-Jan-2022: Updated and expanded (@creachadair).
  4. - 20-Nov-2021: Initial draft (@creachadair).
  5. ---
  6. ## Status
  7. Proposed
  8. ---
  9. ## Background & Context
  10. For context, see [RFC 006: Event Subscription][rfc006].
  11. The [Tendermint RPC service][rpc-service] permits clients to subscribe to the
  12. event stream generated by a consensus node. This allows clients to observe the
  13. state of the consensus network, including details of the consensus algorithm
  14. state machine, proposals, transaction delivery, and block completion. The
  15. application may also attach custom key-value attributes to events to expose
  16. application-specific details to clients.
  17. The event subscription API in the RPC service currently comprises three methods:
  18. 1. `subscribe`: A request to subscribe to the events matching a specific
  19. [query expression][query-grammar]. Events can be filtered by their key-value
  20. attributes, including custom attributes provided by the application.
  21. 2. `unsubscribe`: A request to cancel an existing subscription based on its
  22. query expression.
  23. 3. `unsubscribe_all`: A request to cancel all existing subscriptions belonging
  24. to the client.
  25. There are some important technical and UX issues with the current RPC event
  26. subscription API. The rest of this ADR outlines these problems in detail, and
  27. proposes a new API scheme intended to address them.
  28. ### Issue 1: Persistent connections
  29. To subscribe to a node's event stream, a client needs a persistent connection
  30. to the node. Unlike the other methods of the service, for which each call is
  31. serviced by a short-lived HTTP round trip, subscription delivers a continuous
  32. stream of events to the client by hijacking the HTTP channel for a websocket.
  33. The stream (and hence the HTTP request) persists until either the subscription
  34. is explicitly cancelled, or the connection is closed.
  35. There are several problems with this API:
  36. 1. **Expensive per-connection state**: The server must maintain a substantial
  37. amount of state per subscriber client:
  38. - The current implementation uses a [WebSocket][ws] for each active
  39. subscriber. The connection must be maintained even if there are no
  40. matching events for a given client.
  41. The server can drop idle connections to save resources, but doing so
  42. terminates all subscriptions on those connections and forces those clients
  43. to re-connect, adding additional resource churn for the server.
  44. - In addition, the server maintains a separate buffer of undelivered events
  45. for each client. This is to reduce the dual risks that a client will miss
  46. events, and that a slow client could "push back" on the publisher,
  47. impeding the progress of consensus.
  48. Because event traffic is quite bursty, queues can potentially take up a
  49. lot of memory. Moreover, each subscriber may have a different filter
  50. query, so the server winds up having to duplicate the same events among
  51. multiple subscriber queues. Not only does this add memory pressure, but it
  52. does so most at the worst possible time, i.e., when the server is already
  53. under load from high event traffic.
  54. 2. **Operational access control is difficult**: The server's websocket
  55. interface exposes _all_ the RPC service endpoints, not only the subscription
  56. methods. This includes methods that allow callers to inject arbitrary
  57. transactions (`broadcast_tx_*`) and evidence (`broadcast_evidence`) into the
  58. network, remove transactions (`remove_tx`), and request arbitrary amounts of
  59. chain state.
  60. Filtering requests to the GET endpoint is straightforward: A reverse proxy
  61. like [nginx][nginx] can easily filter methods by URL path. Filtering POST
  62. requests takes a bit more work, but can be managed with a filter program
  63. that speaks [FastCGI][fcgi] and parses JSON-RPC request bodies.
  64. Filtering the websocket interface requires a dedicated proxy implementation.
  65. Although nginx can [reverse-proxy websockets][rp-ws], it does not support
  66. filtering websocket traffic via FastCGI. The operator would need to either
  67. implement a custom [nginx extension module][ng-xm] or build and run a
  68. standalone proxy that implements websocket and filters each session. Apart
  69. from the work, this also makes the system even more resource intensive, as
  70. well as introducing yet another connection that could potentially time out
  71. or stall on full buffers.
  72. Even for the simple case of restricting access to only event subscription,
  73. there is no easy solution currently: Once a caller has access to the
  74. websocket endpoint, it has complete access to the RPC service.
  75. ### Issue 2: Inconvenient client API
  76. The subscription interface has some inconvenient features for the client as
  77. well as the server. These include:
  78. 1. **Non-standard protocol:** The RPC service is mostly [JSON-RPC 2.0][jsonrpc2],
  79. but the subscription interface diverges from the standard.
  80. In a standard JSON-RPC 2.0 call, the client initiates a request to the
  81. server with a unique ID, and the server concludes the call by sending a
  82. reply for that ID. The `subscribe` implementation, however, sends multiple
  83. responses to the client's request:
  84. - The client sends `subscribe` with some ID `x` and the desired query
  85. - The server responds with ID `x` and an empty confirmation response.
  86. - The server then (repeatedly) sends event result responses with ID `x`, one
  87. for each item with a matching event.
  88. Standard JSON-RPC clients will reject the subsequent replies, as they
  89. announce a request ID (`x`) that is already complete. This means a caller
  90. has to implement Tendermint-specific handling for these responses.
  91. Moreover, the result format is different between the initial confirmation
  92. and the subsequent responses. This means a caller has to implement special
  93. logic for decoding the first response versus the subsequent ones.
  94. 2. **No way to detect data loss:** The subscriber connection can be terminated
  95. for many reasons. Even ignoring ordinary network issues (e.g., packet loss):
  96. - The server will drop messages and/or close the websocket if its write
  97. buffer fills, or if the queue of undelivered matching events is not
  98. drained fast enough. The client has no way to discover that messages were
  99. dropped even if the connection remains open.
  100. - Either the client or the server may close the websocket if the websocket
  101. PING and PONG exchanges are not handled correctly, or frequently enough.
  102. Even if correctly implemented, this may fail if the system is under high
  103. load and cannot service those control messages in a timely manner.
  104. When the connection is terminated, the server drops all the subscriptions
  105. for that client (as if it had called `unsubscribe_all`). Even if the client
  106. reconnects, any events that were published during the period between the
  107. disconnect and re-connect and re-subscription will be silently lost, and the
  108. client has no way to discover that it missed some relevant messages.
  109. 3. **No way to replay old events:** Even if a client knew it had missed some
  110. events (due to a disconnection, for example), the API provides no way for
  111. the client to "play back" events it may have missed.
  112. 4. **Large response sizes:** Some event data can be quite large, and there can
  113. be substantial duplication across items. The API allows the client to select
  114. _which_ events are reported, but has no way to control which parts of a
  115. matching event it wishes to receive.
  116. This can be costly on the server (which has to marshal those data into
  117. JSON), the network, and the client (which has to unmarshal the result and
  118. then pick through for the components that are relevant to it).
  119. Besides being inefficient, this also contributes to some of the persistent
  120. connection issues mentioned above, e.g., filling up the websocket write
  121. buffer and forcing the server to queue potentially several copies of a large
  122. value in memory.
  123. 5. **Client identity is tied to network address:** The Tendermint event API
  124. identifies each subscriber by a (Client ID, Query) pair. In the RPC service,
  125. the query is provided by the client, but the client ID is set to the TCP
  126. address of the client (typically "host:port" or "ip:port").
  127. This means that even if the server did _not_ drop subscriptions immediately
  128. when the websocket connection is closed, a client may not be able to
  129. reattach to its existing subscription. Dialing a new connection is likely
  130. to result in a different port (and, depending on their own proxy setup,
  131. possibly a different public IP).
  132. In isolation, this problem would be easy to work around with a new
  133. subscription parameter, but it would require several other changes to the
  134. handling of event subscriptions for that workaround to become useful.
  135. ---
  136. ## Decision
  137. (pending)
  138. To address the described problems, we will:
  139. 1. Introduce a new API for event subscription to the Tendermint RPC service.
  140. The proposed API is described in [Detailed Design](#detailed-design) below.
  141. 2. This new API will target the Tendermint v0.36 release, during which the
  142. current ("streaming") API will remain available as-is, but deprecated.
  143. 3. The streaming API will be entirely removed in release v0.37, which will
  144. require all users of event subscription to switch to the new API.
  145. > **Point for discussion:** Given that ABCI++ and PBTS are the main priorities
  146. > for v0.36, it would be fine to slip the first phase of this work to v0.37.
  147. > Unless there is a time problem, however, the proposed design does not disrupt
  148. > the work on ABCI++ or PBTS, and will not increase the scope of breaking
  149. > changes. Therefore the plan is to begin in v0.36 and slip only if necessary.
  150. ---
  151. ## Detailed Design
  152. ### Design Goals
  153. Specific goals of this design include:
  154. 1. Remove the need for a persistent connection to each subscription client.
  155. Subscribers should use the same HTTP request flow for event subscription
  156. requests as for other RPC calls.
  157. 2. The server retains minimal state (possibly none) per-subscriber. In
  158. particular:
  159. - The server does not buffer unconsumed writes nor queue undelivered events
  160. on a per-client basis.
  161. - A client that stalls or goes idle does not cost the server any resources.
  162. - Any event data that is buffered or stored is shared among _all_
  163. subscribers, and is not duplicated per client.
  164. 3. Slow clients have no impact (or minimal impact) on the rate of progress of
  165. the consensus algorithm, beyond the ambient overhead of servicing individual
  166. RPC requests.
  167. 4. Clients can tell when they have missed events matching their subscription,
  168. within some reasonable (configurable) window of time, and can "replay"
  169. events within that window to catch up.
  170. 5. Nice to have: It should be easy to use the event subscription API from
  171. existing standard tools and libraries, including command-line use for
  172. testing and experimentation.
  173. ### Definitions
  174. - The **event stream** of a node is a single, time-ordered, heterogeneous
  175. stream of event items.
  176. - Each **event item** comprises an **event datum** (for example, block header
  177. metadata for a new-block event), and zero or more optional **events**.
  178. - An **event** means the [ABCI `Event` data type][abci-event], which comprises
  179. a string type and zero or more string key-value **event attributes**.
  180. The use of the new terms "event item" and "event datum" is to avert confusion
  181. between the values that are published to the event bus (what we call here
  182. "event items") and the ABCI `Event` data type.
  183. - The node assigns each event item a unique identifier string called a
  184. **cursor**. A cursor must be unique among all events published by a single
  185. node, but it is not required to be unique globally across nodes.
  186. Cursors are time-ordered so that given event items A and B, if A was
  187. published before B, then cursor(A) < cursor(B) in lexicographic order.
  188. A minimum viable cursor implementation is a tuple consisting of a timestamp
  189. and a sequence number (e.g., `16CCC798FB5F4670-0123`). However, it may also
  190. be useful to append basic type information to a cursor, to allow efficient
  191. filtering (e.g., `16CCC87E91869050-0091:BeginBlock`).
  192. The initial implementation will use the minimum viable format.
  193. ### Discussion
  194. The node maintains an **event log**, a shared ordered record of the events
  195. published to its event bus within an operator-configurable time window. The
  196. initial implementation will store the event log in-memory, and the operator
  197. will be given two per-node configuration settings. Note, these names are
  198. provisional:
  199. - `[event-subscription] time-window`: A duration before present during which the
  200. node will retain event items published. Setting this value to zero disables
  201. event subscription.
  202. - `[event-subscription] max-items`: A maximum number of event items that the
  203. node will retain within the time window. If the number of items exceeds this
  204. value, the node discardes the oldest items in the window. Setting this value
  205. to zero means that no limit is imposed on the number of items.
  206. The node will retain all events within the time window, provided they do not
  207. exceed the maximum number. These config parameters allow the operator to
  208. loosely regulate how much memory and storage the node allocates to the event
  209. log. The client can use the server reply to tell whether the events it wants
  210. are still available from the event log.
  211. The event log is shared among all subscribers to the node.
  212. > **Discussion point:** Should events persist across node restarts?
  213. >
  214. > The current event API does not persist events across restarts, so this new
  215. > design does not either. Note, however, that we may "spill" older event data
  216. > to disk as a way of controlling memory use. Such usage is ephemeral, however,
  217. > and does not need to be tracked as node data (e.g., it could be temp files).
  218. ### Query API
  219. To retrieve event data, the client will call the (new) RPC method `events`.
  220. The parameters of this method will correspond to the following Go types:
  221. ```go
  222. type EventParams struct {
  223. // Optional filter spec. If nil or empty, all items are eligible.
  224. Filter *Filter `json:"filter"`
  225. // The maximum number of eligible results to return.
  226. // If zero or negative, the server will report a default number.
  227. MaxResults int `json:"max_results"`
  228. // Return only items after this cursor. If empty, the limit is just
  229. // before the the beginning of the event log.
  230. After string `json:"after_item"`
  231. // Return only items before this cursor. If empty, the limit is just
  232. // after the head of the event log.
  233. Before string `json:"before_item"`
  234. // Wait for up to this long for events to be available.
  235. WaitTime time.Duration `json:"wait_time"`
  236. }
  237. type Filter struct {
  238. Query string `json:"query"`
  239. }
  240. ```
  241. > **Discussion point:** The initial implementation will not cache filter
  242. > queries for the client. If this turns out to be a performance issue in
  243. > production, the service can keep a small shared cache of compiled queries.
  244. > Given the improvements from #7319 et seq., this should not be necessary.
  245. > **Discussion point:** For the initial implementation, the new API will use
  246. > the existing query language as-is. Future work may extend the Filter message
  247. > with a more structured and/or expressive query surface, but that is beyond
  248. > the scope of this design.
  249. The semantics of the request are as follows: An item in the event log is
  250. **eligible** for a query if:
  251. - It is newer than the `after_item` cursor (if set).
  252. - It is older than the `before_item` cursor (if set).
  253. - It matches the filter (if set).
  254. Among the eligible items in the log, the server returns up to `max_results` of
  255. the newest items, in reverse order of cursor. If `max_results` is unset the
  256. server chooses a number to return, and will cap `max_results` at a sensible
  257. limit.
  258. The `wait_time` parameter is used to effect polling. If `before_item` is empty,
  259. the server will wait for up to `wait_time` for additional items, if there are
  260. fewer than `max_results` eligible results in the log. If `wait_time` is zero,
  261. the server will return whatever eligible items are available immediately.
  262. If `before_item` non-empty, `wait_time` is ignored: new results are only added
  263. to the head of the log, so there is no need to wait. This allows the client to
  264. poll for new data, and "page" backward through matching event items. This is
  265. discussed in more detail below.
  266. The server will set a sensible cap on the maximum `wait_time`, overriding
  267. client-requested intervals longer than that.
  268. A successful reply from the `events` request corresponds to the following Go
  269. types:
  270. ```go
  271. type EventReply struct {
  272. // The items matching the request parameters, from newest
  273. // to oldest, if any were available within the timeout.
  274. Items []*EventItem `json:"items"`
  275. // This is true if there is at least one older matching item
  276. // available in the log that was not returned.
  277. More bool `json:"more"`
  278. // The cursor of the oldest item in the log at the time of this reply,
  279. // or "" if the log is empty.
  280. Oldest string `json:"oldest_item"`
  281. // The cursor of the newest item in the log at the time of this reply,
  282. // or "" if the log is empty.
  283. Newest string `json:"newest_item"`
  284. }
  285. type EventItem struct {
  286. // The cursor of this item.
  287. Cursor string `json:"cursor"`
  288. // The encoded event data for this item.
  289. // The type identifies the structure of the value.
  290. Data struct {
  291. Type string `json:"type"`
  292. Value json.RawMessage `json:"value"`
  293. } `json:"data"`
  294. }
  295. ```
  296. The `oldest_item` and `newest_item` fields of the reply report the cursors of
  297. the oldest and newest items (of any kind) recorded in the event log at the time
  298. of the reply, or are `""` if the log is empty.
  299. The `data` field contains the type-specific event datum, and `events` contain
  300. the ABCI events, if any were defined.
  301. > **Discussion point**: Based on [issue #7273][i7273], I did not include a
  302. > separate field in the response for the ABCI events, since it duplicates data
  303. > already stored elsewhere in the event data.
  304. The semantics of the reply are as follows:
  305. - If `items` is non-empty:
  306. - Items are ordered from newest to oldest.
  307. - If `more` is true, there is at least one additional, older item in the
  308. event log that was not returned (in excess of `max_results`).
  309. In this case the client can fetch the next page by setting `before_item`
  310. in a new request, to the cursor of the oldest item fetched (i.e., the
  311. last one in `items`).
  312. - Otherwise (if `more` is false), all the matching results have been
  313. reported (pagination is complete).
  314. - The first element of `items` identifies the newest item considered.
  315. Subsequent poll requests can set `after_item` to this cursor to skip
  316. items that were already retrieved.
  317. - If `items` is empty:
  318. - If the `before_item` was set in the request, there are no further
  319. eligible items for this query in the log (pagination is complete).
  320. This is just a safety case; the client can detect this without issuing
  321. another call by consulting the `more` field of the previous reply.
  322. - If the `before_item` was empty in the request, no eligible items were
  323. available before the `wait_time` expired. The client may poll again to
  324. wait for more event items.
  325. A client can store cursor values to detect data loss and to recover from
  326. crashes and connectivity issues:
  327. - After a crash, the client requests events after the newest cursor it has
  328. seen. If the reply indicates that cursor is no longer in range, the client
  329. may (conservatively) conclude some event data may have been lost.
  330. - On the other hand, if it _is_ in range, the client can then page back through
  331. the results that it missed, and then resume polling. As long as its recovery
  332. cursor does not age out before it finishes, the client can be sure it has all
  333. the relevant results.
  334. ### Other Notes
  335. - The new API supports two general "modes" of operation:
  336. 1. In ordinary operation, clients will **long-poll** the head of the event
  337. log for new events matching their criteria (by setting a `wait_time` and
  338. no `before_item`).
  339. 2. If there are more events than the client requested, or if the client needs
  340. to to read older events to recover from a stall or crash , clients will
  341. **page** backward through the event log (by setting `before_item` and
  342. possibly `after_item`).
  343. - While the new API requires explicit polling by the client, it makes better
  344. use of the node's existing HTTP infrastructure (e.g., connection pools).
  345. Moreover, the direct implementation is easier to use from standard tools and
  346. client libraries for HTTP and JSON-RPC.
  347. Explicit polling does shift the burden of timeliness to the client. That is
  348. arguably preferable, however, given that the RPC service is ancillary to the
  349. node's primary goal, viz., consensus. The details of polling can be easily
  350. hidden from client applications with simple libraries.
  351. - The format of a cursor is considered opaque to the client. Clients must not
  352. parse cursor values, but they may rely on their ordering properties.
  353. - To maintain the event log, the server must prune items outside the time
  354. window and in excess of the item limit.
  355. The initial implementation will do this by checking the tail of the event log
  356. after each new item is published. If the number of items in the log exceeds
  357. the item limit, it will delete oldest items until the log is under the limit;
  358. then discard any older than the time window before present.
  359. To minimize coordination interference between the publisher (the event bus)
  360. and the subcribers (the `events` service handlers), the event log will be
  361. stored as a persistent linear queue with shared structure (a cons list). A
  362. single reader-writer mutex will guard the "head" of the queue where new
  363. items are published:
  364. - **To publish a new item**, the publisher acquires the write lock, conses a
  365. new item to the front of the existing queue, and replaces the head pointer
  366. with the new item.
  367. - **To scan the queue**, a reader acquires the read lock, captures the head
  368. pointer, and then releases the lock. The rest of its request can be served
  369. without holding a lock, since the queue structure will not change.
  370. When a reader wants to wait, it will yield the lock and wait on a condition
  371. that is signaled when the publisher swings the pointer.
  372. - **To prune the queue**, the publisher (who is the sole writer) will track
  373. the queue length and the age of the oldest item separately. When the
  374. length and or age exceed the configured bounds, it will construct a new
  375. queue spine on the same items, discarding out-of-band values.
  376. Pruning can be done while the publisher already holds the write lock, or
  377. could be done outside the lock entirely: Once the new queue is constructed,
  378. the lock can be re-acquired to swing the pointer. This costs some extra
  379. allocations for the cons cells, but avoids duplicating any event items.
  380. The pruning step is a simple linear scan down the first (up to) max-items
  381. elements of the queue, to find the breakpoint of age and length.
  382. Moreover, the publisher can amortize the cost of pruning by item count, if
  383. necessary, by pruning length "more aggressively" than the configuration
  384. requires (e.g., reducing to 3/4 of the maximum rather than 1/1).
  385. The state of the event log before the publisher acquires the lock:
  386. ![Before publish and pruning](./img/adr-075-log-before.png)
  387. After the publisher has added a new item and pruned old ones:
  388. ![After publish and pruning](./img/adr-075-log-after.png)
  389. ### Migration Plan
  390. This design requires that clients eventually migrate to the new event
  391. subscription API, but provides a full release cycle with both APIs in place to
  392. make this burden more tractable. The migration strategy is broadly:
  393. **Phase 1**: Release v0.36.
  394. - Implement the new `events` endpoint, keeping the existing methods as they are.
  395. - Update the Go clients to support the new `events` endpoint, and handle polling.
  396. - Update the old endpoints to log annoyingly about their own deprecation.
  397. - Write tutorials about how to migrate client usage.
  398. At or shortly after release, we should proactively update the Cosmos SDK to use
  399. the new API, to remove a disincentive to upgrading.
  400. **Phase 2**: Release v0.37
  401. - During development, we should actively seek out any existing users of the
  402. streaming event subscription API and help them migrate.
  403. - Possibly also: Spend some time writing clients for JS, Rust, et al.
  404. - Release: Delete the old implementation and all the websocket support code.
  405. > **Discussion point**: Even though the plan is to keep the existing service,
  406. > we might take the opportunity to restrict the websocket endpoint to _only_
  407. > the event streaming service, removing the other endpoints. To minimize the
  408. > disruption for users in the v0.36 cycle, I have decided not to do this for
  409. > the first phase.
  410. >
  411. > If we wind up pushing this design into v0.37, however, we should re-evaulate
  412. > this partial turn-down of the websocket.
  413. ### Future Work
  414. - This design does not immediately address the problem of allowing the client
  415. to control which data are reported back for event items. That concern is
  416. deferred to future work. However, it would be straightforward to extend the
  417. filter and/or the request parameters to allow more control.
  418. - The node currently stores a subset of event data (specifically the block and
  419. transaction events) for use in reindexing. While these data are redundant
  420. with the event log described in this document, they are not sufficient to
  421. cover event subscription, as they omit other event types.
  422. In the future we should investigate consolidating or removing event data from
  423. the state store entirely. For now this issue is out of scope for purposes of
  424. updating the RPC API. We may be able to piggyback on the database unification
  425. plans (see [RFC 001][rfc001]) to store the event log separately, so its
  426. pruning policy does not need to be tied to the block and state stores.
  427. - This design reuses the existing filter query language from the old API. In
  428. the future we may want to use a more structured and/or expressive query. The
  429. Filter object can be extended with more fields as needed to support this.
  430. - Some users have trouble communicating with the RPC service because of
  431. configuration problems like improperly-set CORS policies. While this design
  432. does not address those issues directly, we might want to revisit how we set
  433. policies in the RPC service to make it less susceptible to confusing errors
  434. caused by misconfiguration.
  435. ---
  436. ## Consequences
  437. - ✅ Reduces the number of transport options for RPC. Supports [RFC 002][rfc002].
  438. - ️✅ Removes the primary non-standard use of JSON-RPC.
  439. - ⛔️ Forces clients to migrate to a different API (eventually).
  440. - ↕️ API requires clients to poll, but this reduces client state on the server.
  441. - ↕️ We have to maintain both implementations for a whole release, but this
  442. gives clients time to migrate.
  443. ---
  444. ## Alternative Approaches
  445. The following alternative approaches were considered:
  446. 1. **Leave it alone.** Since existing tools mostly already work with the API as
  447. it stands today, we could leave it alone and do our best to improve its
  448. performance and reliability.
  449. Based on many issues reported by users and node operators (e.g.,
  450. [#3380][i3380], [#6439][i6439], [#6729][i6729], [#7247][i7247]), the
  451. problems described here affect even the existing use that works. Investing
  452. further incremental effort in the existing API is unlikely to address these
  453. issues.
  454. 2. **Design a better streaming API.** Instead of polling, we might try to
  455. design a better "streaming" API for event subscription.
  456. A significant advantage of switching away from streaming is to remove the
  457. need for persistent connections between the node and subscribers. A new
  458. streaming protocol design would lose that advantage, and would still need a
  459. way to let clients recover and replay.
  460. This approach might look better if we decided to use a different protocol
  461. for event subscription, say gRPC instead of JSON-RPC. That choice, however,
  462. would be just as breaking for existing clients, for marginal benefit.
  463. Moreover, this option increases both the complexity and the resource cost on
  464. the node implementation.
  465. Given that resource consumption and complexity are important considerations,
  466. this option was not chosen.
  467. 3. **Defer to an external event broker.** We might remove the entire event
  468. subscription infrastructure from the node, and define an optional interface
  469. to allow the node to publish all its events to an external event broker,
  470. such as Apache Kafka.
  471. This has the advantage of greatly simplifying the node, but at a great cost
  472. to the node operator: To enable event subscription in this design, the
  473. operator has to stand up and maintain a separate process in communion with
  474. the node, and configuration changes would have to be coordinated across
  475. both.
  476. Moreover, this approach would be highly disruptive to existing client use,
  477. and migration would probably require switching to third-party libraries.
  478. Despite the potential benefits for the node itself, the costs to operators
  479. and clients seems too large for this to be the best option.
  480. Publishing to an external event broker might be a worthwhile future project,
  481. if there is any demand for it. That decision is out of scope for this design,
  482. as it interacts with the design of the indexer as well.
  483. ---
  484. ## References
  485. - [RFC 006: Event Subscription][rfc006]
  486. - [Tendermint RPC service][rpc-service]
  487. - [Event query grammar][query-grammar]
  488. - [RFC 6455: The WebSocket protocol][ws]
  489. - [JSON-RPC 2.0 Specification][jsonrpc2]
  490. - [Nginx proxy server][nginx]
  491. - [Proxying websockets][rp-ws]
  492. - [Extension modules][ng-xm]
  493. - [FastCGI][fcgi]
  494. - [RFC 001: Storage Engines & Database Layer][rfc001]
  495. - [RFC 002: Interprocess Communication in Tendermint][rfc002]
  496. - Issues:
  497. - [rpc/client: test that client resubscribes upon disconnect][i3380] (#3380)
  498. - [Too high memory usage when creating many events subscriptions][i6439] (#6439)
  499. - [Tendermint emits events faster than clients can pull them][i6729] (#6729)
  500. - [indexer: unbuffered event subscription slow down the consensus][i7247] (#7247)
  501. - [rpc: remove duplication of events when querying][i7273] (#7273)
  502. [rfc006]: https://github.com/tendermint/tendermint/blob/master/docs/rfc/rfc-006-event-subscription.md
  503. [rpc-service]: https://docs.tendermint.com/master/rpc
  504. [query-grammar]: https://pkg.go.dev/github.com/tendermint/tendermint@master/internal/pubsub/query/syntax
  505. [ws]: https://datatracker.ietf.org/doc/html/rfc6455
  506. [jsonrpc2]: https://www.jsonrpc.org/specification
  507. [nginx]: https://nginx.org/en/docs/
  508. [fcgi]: http://www.mit.edu/~yandros/doc/specs/fcgi-spec.html
  509. [rp-ws]: https://nginx.org/en/docs/http/websocket.html
  510. [ng-xm]: https://www.nginx.com/resources/wiki/extending/
  511. [abci-event]: https://pkg.go.dev/github.com/tendermint/tendermint/abci/types#Event
  512. [rfc001]: https://github.com/tendermint/tendermint/blob/master/docs/rfc/rfc-001-storage-engine.rst
  513. [rfc002]: https://github.com/tendermint/tendermint/blob/master/docs/rfc/rfc-002-ipc-ecosystem.md
  514. [i3380]: https://github.com/tendermint/tendermint/issues/3380
  515. [i6439]: https://github.com/tendermint/tendermint/issues/6439
  516. [i6729]: https://github.com/tendermint/tendermint/issues/6729
  517. [i7247]: https://github.com/tendermint/tendermint/issues/7247
  518. [i7273]: https://github.com/tendermint/tendermint/issues/7273