-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update hip-1046.md #1066
base: main
Are you sure you want to change the base?
Update hip-1046.md #1066
Conversation
Based on feedback I've edited the following: * Updated Abstract to make problem statement clear. * Change entries containing "grpc_web nodes" to "grpc_web proxies" Signed-off-by: mab <140427262+Mark-Swirlds@users.noreply.github.com>
✅ Deploy Preview for hedera-hips ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Signed-off-by: Joseph Sinclair <joseph.sinclair@swirldslabs.com>
Updates to gRPC-WEB HIP to address design considerations raised.
|
||
## Reference Implementation | ||
|
||
The reference implementation must be complete before any HIP is given the status of “Final”. The final implementation must include test code and documentation. | ||
The reference implementation must be complete before any HIP is given the status | ||
of “Final”. The final implementation must include test code and documentation. | ||
|
||
## Rejected Ideas |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would have expected a new field in node_create.proto
and node_update.proto
like:
repeated proto.ServiceEndpoint grpc_web_proxy_endpoint;
There are probably good reasons why this approach was not taken, even though it seems less error-prone to use. Can we please add an entry under "Rejected Ideas" explaining why this approach was not taken?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we want to change the API like this? This looks more complicated and error-prone than the current definition.
|
||
*Alternatives Considered:* Another alternative was to continue with the current practice of hard-coding endpoints within the SDK. However, this method is not sustainable as it requires frequent updates and coordination, particularly as Hedera continues to decentralize. Dynamic discovery provides a more robust and future-proof solution. | ||
*Alternatives Considered:* Another alternative was to continue with the current |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This 80 character limit seems too restrictive and conflicts with our Java coding standards to use 120. The standards just mention java so not sure about other formats. Is it documented somewhere that we should use 80 for markdown?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no standard for markdown that I know of, but github enforces 80 characters in much of the review interface (particularly suggestions), so I habitually reformat HIP markdown to 80 characters for ease of review.
I do not think there is any requirement to do so, however.
* There MUST NOT be more than one "secure gRPC" endpoint for | ||
* each `Node`.<br/> | ||
* If a `Node` has a "secure gRPC" endpoint, it SHOULD NOT have an | ||
* "insecure gRPC endpoint. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These statements are not really true. A node can have more than one secure port on different proxy IPs. A node can also have both secure and insecure on the same IP since they are different ports. I imagine in the future with permissionless some nodes might even want multiple secure per IP or multiple insecure per IP. Here's node 0.0.3 service endpoints on mainnet right now:
"service_endpoints":[
{"domain_name":"","ip_address_v4":"34.239.82.6","port":50211},
{"domain_name":"","ip_address_v4":"34.239.82.6","port":50212},
{"domain_name":"","ip_address_v4":"35.237.200.180","port":50211},
{"domain_name":"","ip_address_v4":"35.237.200.180","port":50212}]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is permitted to do so (SHOULD is a recommendation keyword). It is not best practice, however.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was commenting on both statements. There is a MUST NOT statement that is not true.
And I disagree with your SHOULD recommendation as it can't be considered a bad practice if every node in production does it. The statements should reflect the reality on mainnet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. That is not ideal (having both secure and insecure endpoints is bad security practice), but I can remove the specification text (once the author returns and can accept a PR).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand the new proposal. The NodeCreateTransactionBody
for example, which adds a node to the address book, has ServiceEndpoints
such as gossip_endpoint
and service_endpoint
. This HIP doesn't change that. But it does add ServiceEndpointPurpose
. So what happens if I set a ServiceEndpoint on gossip_endpoint
with a purpose of SECURE_GRPC
?
I'm assuming the node transaction will have to be updated in an incompatible way? That isn't a problem since it is not currently used, but I didn't see that change in the specification section.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After this HIP, we would need to enforce the correct purpose
value for nodeCreate
and nodeUpdate
endpoint lists in consensus node software.
All changes needed would be compatible from the perspective of protobuf. The node transaction definitions do not need to be changed here as we're just adding a new field.
During upgrade we might need perform a state migration to set the purpose for each endpoint (which can be determined from the containing list and port, as Mirror Node does currently).
I think we should keep the different types of endpoints separated. Instead of putting everything into a single list and adding a type, I suggest defining the new field in
Both solutions provide the same functionality. Everything that can be configured with a single list can also be configured with two lists and vice versa. Storing the gRPC proxies in a separate list has several advantages, though:
I agree with @steven-sheehy's observation that we should not rely on port ranges to determine if an endpoint is secured. How about adding a boolean flag in |
This is exactly what the current HIP text does (aside from eliding the We probably also need to think about whether we expect to have more node types in the future. Already the |
I know. I think the new proposal is worse than the current HIP.
I do not see how the split between consensus and execution would influence the transactions. For block nodes, we probably want specialized transaction types. I do not see much commonality between consensus nodes and block nodes. |
In general this seems to be bad architecture to require nodes that only communicate via gRPC to maintain a list of endpoints that they do not control, nor can validate and attest to their correctness. If the problem is due to SDK design, the correction should be mitigated in that tech stack not the consensus node protocol. |
Node operators control all three types (gRPC, Proxy, gossip) endpoints for their node via nodeUpdate transactions. |
Based on feedback I've edited the following: