-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Topic handles and ownership #198
Comments
@Stebalien Thanks for the writing this up. I wanted to flesh out the motivation behind the Topic Handles part a bit more:
|
This all sounds reasonable. |
@raulk you're close but off by a bit. The validators will belong to the topic for now so they're defined on each trunk instead of the branches. Also, the proposed API in #184 bundles publishing with the topic handle since there's only one topic handle and there's only a need for one publishing handle. |
Ok, that makes sense. Rationale: defining validators on the leaves (subscribers and publishers) would prevent us from attaching validators to relay-only topics (i.e. a topic we're helping disseminate, but we're not actively consuming from), because such topics have no leaves. Put a different way: validators secure payloads flowing through a topic (topic handle), not local logic (subscriber, publisher). |
I think Relay only nodes must also validate -- otherwise they may forward invalid messages which offers attackers an easy avenue to inject invalid messages without being discovered. TL;DR: the validator must be attached to the topic, even for relay only nodes. |
👍 to Also, we may at some point want to add the ability to auto-blacklist people who send us invalid messages regularly, which means relays would probably want to validate. |
Relays will almost certainly want to validate, otherwise they are open to attack. |
Now that the PR starting off the Topic handlers has landed #184. There were a few DX changes I think we should consider
Thoughts? @Stebalien @raulk @vyzo |
IMO, yes to all of those. |
Motivation
Publish
without first callingSubscribe
will often just drop the message.Proposal
Join
function that returns aTopic
handle (which can be closed to leave the topic). Joining a topic handle subscribes to the topic internally, performs any discovery necessary to find peers participating in the topic, and joins the topic mesh.Discussion
There are two somewhat orthogonal parts to this proposal: topic handles and exclusivity.
Topic Handles
The motivation for the topic handle is pretty clear. Unless we're in a fully connected network,
Publish
can't currently be used independently ofSubscribe
and topic handles try to resolve this issue.Exclusivity
The concern here was: how do we make it easy for multiple services to reliably use a single pubsub service at the same time. The specific concern was validator registration.
We landed on three options:
Global Validators
This is the option I proposed in #58. The user would have to setup global topic validators and would be responsible for managing conflicts up-front. This is pretty close to how DHT validators work.
However, unlike the DHT, we expect services using pubsub to add new validators for new topic types at runtime. A single over-zealous validator registered by one service could interfere with other services.
Independent Subscriptions
Next we considered associating validators with subscriptions (or topic handles). The idea was to:
The catch was applying the validators independently. If two services, A and B, subscribe to the same topic but have different ideas of validity for messages that topic, naively rejecting all messages that fail A's validator would prevent B from receiving some messages it would consider valid.
The solution I proposed was treat these subscribers independently:
This would effectively act like two independent pubsub nodes.
Exclusive Subscriptions
The funky part of the "independent subscriptions" proposal is that we could end up forwarding messages that one or more validators marked as invalid. This could, e.g., cause our peers to mark us as "bad" and drop us because we're forwarding bad messages.
We had two key insights:
The second insight gives us a simple solution: only allow one service to "own" a topic at a time and allow that service to control all validators on that topic. This matches the behavior of protocol handlers, transports, etc.
This is also the safest option as we can upgrade to "independent subscriptions" at any time if it becomes an issue.
The text was updated successfully, but these errors were encountered: