Improve leafnode subject interest isolation

It is now possible to configure leafnode subject interest isolation in
three ways:

1. For all leafnode connections on the node using the top-level `isolate_leafnode_interest`
   or `isolate` option in the leafnode block
2. Isolating specific remotes from east-west interest originating locally using
   the `isolate_leafnode_interest` or `isolate` option in the `remotes` config
3. Asking the remote side to isolate us from east-west interest originating remotely
   using the `request_isolation` option in the `remotes` config

Signed-off-by: Neil Twigg <[email protected]>

Author: neilalexander

server/leafnode.go

@@ -133,6 +133,10 @@ func (c *client) isHubLeafNode() bool {
 }
 
 func (c *client) isIsolatedLeafNode() bool {
+	// TODO(nat): In future we may want to pass in and consider an isolation
+	// group name here, which the hub and/or leaf could provide, so that we
+	// can isolate away certain LNs but not others on an opt-in basis. For
+	// now we will just isolate all LN interest until then.
 	return c.kind == LEAF && c.leaf.isolated
 }
 
@@ -826,6 +830,7 @@ func (c *client) sendLeafConnect(clusterName string, headers bool) error {
 		Compression:   c.leaf.compression,
 		RemoteAccount: c.acc.GetName(),
 		Proto:         c.srv.getServerProto(),
+		Isolate:       c.leaf.remote.RequestIsolation,
 	}
 
 	// If a signature callback is specified, this takes precedence over anything else.
@@ -994,7 +999,9 @@ func (s *Server) createLeafNode(conn net.Conn, rURL *url.URL, remote *leafNodeCf
 
 	// If the leafnode subject interest should be isolated, flag it here.
 	s.optsMu.RLock()
-	c.leaf.isolated = s.opts.LeafNode.IsolateLeafnodeInterest
+	if c.leaf.isolated = s.opts.LeafNode.IsolateLeafnodeInterest; !c.leaf.isolated && remote != nil {
+		c.leaf.isolated = remote.LocalIsolation
+	}
 	s.optsMu.RUnlock()
 
 	// For accepted LN connections, ws will be != nil if it was accepted
@@ -1844,6 +1851,7 @@ type leafConnectInfo struct {
 	Headers   bool     `json:"headers,omitempty"`
 	JetStream bool     `json:"jetstream,omitempty"`
 	DenyPub   []string `json:"deny_pub,omitempty"`
+	Isolate   bool     `json:"isolate,omitempty"`
 
 	// There was an existing field called:
 	// >> Comp bool `json:"compression,omitempty"`
@@ -1954,6 +1962,8 @@ func (c *client) processLeafNodeConnect(s *Server, arg []byte, lang string) erro
 	c.leaf.remoteServer = proto.Name
 	// Remember the remote account name
 	c.leaf.remoteAccName = proto.RemoteAccount
+	// Remember if the leafnode requested isolation.
+	c.leaf.isolated = c.leaf.isolated || proto.Isolate
 
 	// If the other side has declared itself a hub, so we will take on the spoke role.
 	if proto.Hub {

server/leafnode_test.go

@@ -10277,7 +10277,7 @@ func TestLeafNodesDisableRemote(t *testing.T) {
 	require_Equal(t, string(msg.Data), "hello4")
 }
 
-func TestLeafNodeIsolatedLeafSubjectPropagation(t *testing.T) {
+func TestLeafNodeIsolatedLeafSubjectPropagationGlobal(t *testing.T) {
 	for tname, isolated := range map[string]bool{
 		"Isolated": true,
 		"Normal":   false,
@@ -10326,6 +10326,221 @@ func TestLeafNodeIsolatedLeafSubjectPropagation(t *testing.T) {
 			checkLeafNodeConnectedCount(t, sp1, 1)
 			checkLeafNodeConnectedCount(t, sp2, 1)
 
+			// We expect that the hub side will have answered the request from the spoke for
+			// isolation if needed, but the spokes themselves will not themselves isolate
+			// subscription interest in the other direction unless also configured to do so.
+			for _, c := range sh.leafs {
+				require_Equal(t, c.leaf.isolated, isolated)
+			}
+			for _, c := range sp1.leafs {
+				require_False(t, c.leaf.isolated)
+			}
+			for _, c := range sp2.leafs {
+				require_False(t, c.leaf.isolated)
+			}
+
+			nch := natsConnect(t, sh.ClientURL(), nats.UserInfo("HA", "pwd"))
+			nc1 := natsConnect(t, sp1.ClientURL(), nats.UserInfo("A", "pwd"))
+
+			// Create a north-south subscription on the hub that should be visible to both spokes.
+			nssub, err := nch.SubscribeSync("northsouth")
+			require_NoError(t, err)
+			checkSubInterest(t, sh, "HA", "northsouth", time.Second) // Visible to the hub.
+			checkSubInterest(t, sp1, "A", "northsouth", time.Second) // Visible to both spokes.
+			checkSubInterest(t, sp2, "A", "northsouth", time.Second) // Visible to both spokes.
+
+			// The spoke subscriptions should be visible to the hub in all cases, but only
+			// visible to other spokes if they are not isolated.
+			ewsub, err := nc1.SubscribeSync("eastwest")
+			require_NoError(t, err)
+			checkSubInterest(t, sh, "HA", "eastwest", time.Second) // Visible to the hub.
+			checkSubInterest(t, sp1, "A", "eastwest", time.Second) // Visible to the spoke with the sub.
+			if isolated {
+				checkSubNoInterest(t, sp2, "A", "eastwest", time.Second) // Not visible to the other spoke.
+			} else {
+				checkSubInterest(t, sp2, "A", "eastwest", time.Second) // Visible to the other spoke.
+			}
+			require_NoError(t, ewsub.Unsubscribe())
+			checkSubNoInterest(t, sh, "HA", "eastwest", time.Second)
+			checkSubNoInterest(t, sp1, "A", "eastwest", time.Second)
+			checkSubNoInterest(t, sp2, "A", "eastwest", time.Second)
+
+			// ... but a subscription from the hub should be visible to both.
+			require_NoError(t, nssub.Unsubscribe())
+			checkSubNoInterest(t, sh, "HA", "northsouth", time.Second)
+			checkSubNoInterest(t, sp1, "A", "northsouth", time.Second)
+			checkSubNoInterest(t, sp2, "A", "northsouth", time.Second)
+		})
+	}
+}
+
+func TestLeafNodeIsolatedLeafSubjectPropagationRequestIsolation(t *testing.T) {
+	for tname, isolated := range map[string]bool{
+		"Isolated": true,
+		"Normal":   false,
+	} {
+		t.Run(tname, func(t *testing.T) {
+			hubTmpl := `
+				port: -1
+				server_name: "%s"
+				accounts {
+					HA { users: [{user: HA, password: pwd}] }
+				}
+				leafnodes {
+					port: -1
+				}
+			`
+			confH := createConfFile(t, []byte(fmt.Sprintf(hubTmpl, "H1")))
+			sh, oh := RunServerWithConfig(confH)
+			defer sh.Shutdown()
+
+			spokeTmpl := `
+				port: -1
+				server_name: "%s"
+				accounts {
+					A { users: [{user: A, password: pwd}] }
+				}
+				leafnodes {
+					remotes [
+						{
+							url: "nats://HA:[email protected]:%d"
+							local: "A"
+							request_isolation: %v
+						}
+					]
+				}
+			`
+
+			confSP1 := createConfFile(t, []byte(fmt.Sprintf(spokeTmpl, "SP1", oh.LeafNode.Port, isolated)))
+			sp1, _ := RunServerWithConfig(confSP1)
+			defer sp1.Shutdown()
+
+			confSP2 := createConfFile(t, []byte(fmt.Sprintf(spokeTmpl, "SP2", oh.LeafNode.Port, isolated)))
+			sp2, _ := RunServerWithConfig(confSP2)
+			defer sp2.Shutdown()
+
+			checkLeafNodeConnectedCount(t, sh, 2)
+			checkLeafNodeConnectedCount(t, sp1, 1)
+			checkLeafNodeConnectedCount(t, sp2, 1)
+
+			// We expect that the hub side will have answered the request from the spoke for
+			// isolation if needed, but the spokes themselves will not themselves isolate
+			// subscription interest in the other direction unless also configured to do so.
+			for _, c := range sh.leafs {
+				require_Equal(t, c.leaf.isolated, isolated)
+			}
+			for _, c := range sp1.leafs {
+				require_False(t, c.leaf.isolated)
+			}
+			for _, c := range sp2.leafs {
+				require_False(t, c.leaf.isolated)
+			}
+
+			nch := natsConnect(t, sh.ClientURL(), nats.UserInfo("HA", "pwd"))
+			nc1 := natsConnect(t, sp1.ClientURL(), nats.UserInfo("A", "pwd"))
+
+			// Create a north-south subscription on the hub that should be visible to both spokes.
+			nssub, err := nch.SubscribeSync("northsouth")
+			require_NoError(t, err)
+			checkSubInterest(t, sh, "HA", "northsouth", time.Second) // Visible to the hub.
+			checkSubInterest(t, sp1, "A", "northsouth", time.Second) // Visible to both spokes.
+			checkSubInterest(t, sp2, "A", "northsouth", time.Second) // Visible to both spokes.
+
+			// The spoke subscriptions should be visible to the hub in all cases, but only
+			// visible to other spokes if they are not isolated.
+			ewsub, err := nc1.SubscribeSync("eastwest")
+			require_NoError(t, err)
+			checkSubInterest(t, sh, "HA", "eastwest", time.Second) // Visible to the hub.
+			checkSubInterest(t, sp1, "A", "eastwest", time.Second) // Visible to the spoke with the sub.
+			if isolated {
+				checkSubNoInterest(t, sp2, "A", "eastwest", time.Second) // Not visible to the other spoke.
+			} else {
+				checkSubInterest(t, sp2, "A", "eastwest", time.Second) // Visible to the other spoke.
+			}
+			require_NoError(t, ewsub.Unsubscribe())
+			checkSubNoInterest(t, sh, "HA", "eastwest", time.Second)
+			checkSubNoInterest(t, sp1, "A", "eastwest", time.Second)
+			checkSubNoInterest(t, sp2, "A", "eastwest", time.Second)
+
+			// ... but a subscription from the hub should be visible to both.
+			require_NoError(t, nssub.Unsubscribe())
+			checkSubNoInterest(t, sh, "HA", "northsouth", time.Second)
+			checkSubNoInterest(t, sp1, "A", "northsouth", time.Second)
+			checkSubNoInterest(t, sp2, "A", "northsouth", time.Second)
+		})
+	}
+}
+
+func TestLeafNodeIsolatedLeafSubjectPropagationLocalIsolation(t *testing.T) {
+	for tname, isolated := range map[string]bool{
+		"Isolated": true,
+		"Normal":   false,
+	} {
+		t.Run(tname, func(t *testing.T) {
+			spokeTmpl := `
+				port: -1
+				server_name: "%s"
+				accounts {
+					A { users: [{user: A, password: pwd}] }
+				}
+				leafnodes {
+					port: -1
+				}
+			`
+
+			confSP1 := createConfFile(t, []byte(fmt.Sprintf(spokeTmpl, "SP1")))
+			sp1, osp1 := RunServerWithConfig(confSP1)
+			defer sp1.Shutdown()
+
+			confSP2 := createConfFile(t, []byte(fmt.Sprintf(spokeTmpl, "SP2")))
+			sp2, osp2 := RunServerWithConfig(confSP2)
+			defer sp2.Shutdown()
+
+			hubTmpl := `
+				port: -1
+				server_name: "%s"
+				accounts {
+					HA { users: [{user: HA, password: pwd}] }
+				}
+				leafnodes {
+					port: -1
+					remotes [
+						{
+							url: "nats://A:[email protected]:%d"
+							local: "HA"
+							isolate: %v
+							hub: true
+						},
+						{
+							url: "nats://A:[email protected]:%d"
+							local: "HA"
+							isolate: %v
+							hub: true
+						}
+					]
+				}
+			`
+			confH := createConfFile(t, []byte(fmt.Sprintf(hubTmpl, "H1", osp1.LeafNode.Port, isolated, osp2.LeafNode.Port, isolated)))
+			sh, _ := RunServerWithConfig(confH)
+			defer sh.Shutdown()
+
+			checkLeafNodeConnectedCount(t, sh, 2)
+			checkLeafNodeConnectedCount(t, sp1, 1)
+			checkLeafNodeConnectedCount(t, sp2, 1)
+
+			// We expect that the hub side will have answered the request from the spoke for
+			// isolation if needed, but the spokes themselves will not themselves isolate
+			// subscription interest in the other direction unless also configured to do so.
+			for _, c := range sh.leafs {
+				require_Equal(t, c.leaf.isolated, isolated)
+			}
+			for _, c := range sp1.leafs {
+				require_False(t, c.leaf.isolated)
+			}
+			for _, c := range sp2.leafs {
+				require_False(t, c.leaf.isolated)
+			}
+
 			nch := natsConnect(t, sh.ClientURL(), nats.UserInfo("HA", "pwd"))
 			nc1 := natsConnect(t, sp1.ClientURL(), nats.UserInfo("A", "pwd"))
 

server/opts.go

@@ -253,6 +253,12 @@ type RemoteLeafOpts struct {
 	// will be migrated away from this server if still disconnected.
 	JetStreamClusterMigrateDelay time.Duration `json:"jetstream_cluster_migrate_delay,omitempty"`
 
+	// LocalIsolation isolates this remote from east-west subject interest originating locally.
+	LocalIsolation bool `json:"local_isolation,omitempty"`
+
+	// RequestIsolation asks the remote side to isolate us from their east-west subject interest.
+	RequestIsolation bool `json:"request_isolation,omitempty"`
+
 	// If this is set to true, the connection to this remote will not be solicited.
 	// During a configuration reload, if this is changed from `false` to `true`, the
 	// existing connection will be closed and not solicited again (until it is changed
@@ -2971,6 +2977,10 @@ func parseRemoteLeafNodes(v any, errors *[]error, warnings *[]error) ([]*RemoteL
 				default:
 					*errors = append(*errors, &configErr{tk, fmt.Sprintf("Expected boolean or map for jetstream_cluster_migrate, got %T", v)})
 				}
+			case "isolate_leafnode_interest", "isolate":
+				remote.LocalIsolation = v.(bool)
+			case "request_isolation":
+				remote.RequestIsolation = v.(bool)
 			case "compression":
 				if err := parseCompression(&remote.Compression, CompressionS2Auto, tk, k, v); err != nil {
 					*errors = append(*errors, err)