|
@@ -0,0 +1,375 @@
|
|
|
+# How do faster joins work?
|
|
|
+
|
|
|
+This is a work-in-progress set of notes with two goals:
|
|
|
+- act as a reference, explaining how Synapse implements faster joins; and
|
|
|
+- record the rationale behind our choices.
|
|
|
+
|
|
|
+See also [MSC3902](https://github.com/matrix-org/matrix-spec-proposals/pull/3902).
|
|
|
+
|
|
|
+The key idea is described by [MSC706](https://github.com/matrix-org/matrix-spec-proposals/pull/3902). This allows servers to
|
|
|
+request a lightweight response to the federation `/send_join` endpoint.
|
|
|
+This is called a **faster join**, also known as a **partial join**. In these
|
|
|
+notes we'll usually use the word "partial" as it matches the database schema.
|
|
|
+
|
|
|
+## Overview: processing events in a partially-joined room
|
|
|
+
|
|
|
+The response to a partial join consists of
|
|
|
+- the requested join event `J`,
|
|
|
+- a list of the servers in the room (according to the state before `J`),
|
|
|
+- a subset of the state of the room before `J`,
|
|
|
+- the full auth chain of that state subset.
|
|
|
+
|
|
|
+Synapse marks the room as partially joined by adding a row to the database table
|
|
|
+`partial_state_rooms`. It also marks the join event `J` as "partially stated",
|
|
|
+meaning that we have neither received nor computed the full state before/after
|
|
|
+`J`. This is done by adding a row to `partial_state_events`.
|
|
|
+
|
|
|
+<details><summary>DB schema</summary>
|
|
|
+
|
|
|
+```
|
|
|
+matrix=> \d partial_state_events
|
|
|
+Table "matrix.partial_state_events"
|
|
|
+ Column │ Type │ Collation │ Nullable │ Default
|
|
|
+══════════╪══════╪═══════════╪══════════╪═════════
|
|
|
+ room_id │ text │ │ not null │
|
|
|
+ event_id │ text │ │ not null │
|
|
|
+
|
|
|
+matrix=> \d partial_state_rooms
|
|
|
+ Table "matrix.partial_state_rooms"
|
|
|
+ Column │ Type │ Collation │ Nullable │ Default
|
|
|
+════════════════════════╪════════╪═══════════╪══════════╪═════════
|
|
|
+ room_id │ text │ │ not null │
|
|
|
+ device_lists_stream_id │ bigint │ │ not null │ 0
|
|
|
+ join_event_id │ text │ │ │
|
|
|
+ joined_via │ text │ │ │
|
|
|
+
|
|
|
+matrix=> \d partial_state_rooms_servers
|
|
|
+ Table "matrix.partial_state_rooms_servers"
|
|
|
+ Column │ Type │ Collation │ Nullable │ Default
|
|
|
+═════════════╪══════╪═══════════╪══════════╪═════════
|
|
|
+ room_id │ text │ │ not null │
|
|
|
+ server_name │ text │ │ not null │
|
|
|
+```
|
|
|
+
|
|
|
+Indices, foreign-keys and check constraints are omitted for brevity.
|
|
|
+</details>
|
|
|
+
|
|
|
+While partially joined to a room, Synapse receives events `E` from remote
|
|
|
+homeservers as normal, and can create events at the request of its local users.
|
|
|
+However, we run into trouble when we enforce the [checks on an event].
|
|
|
+
|
|
|
+> 1. Is a valid event, otherwise it is dropped. For an event to be valid, it
|
|
|
+ must contain a room_id, and it must comply with the event format of that
|
|
|
+> room version.
|
|
|
+> 2. Passes signature checks, otherwise it is dropped.
|
|
|
+> 3. Passes hash checks, otherwise it is redacted before being processed further.
|
|
|
+> 4. Passes authorization rules based on the event’s auth events, otherwise it
|
|
|
+> is rejected.
|
|
|
+> 5. **Passes authorization rules based on the state before the event, otherwise
|
|
|
+> it is rejected.**
|
|
|
+> 6. **Passes authorization rules based on the current state of the room,
|
|
|
+> otherwise it is “soft failed”.**
|
|
|
+
|
|
|
+[checks on an event]: https://spec.matrix.org/v1.5/server-server-api/#checks-performed-on-receipt-of-a-pdu
|
|
|
+
|
|
|
+We can enforce checks 1--4 without any problems.
|
|
|
+But we cannot enforce checks 5 or 6 with complete certainty, since Synapse does
|
|
|
+not know the full state before `E`, nor that of the room.
|
|
|
+
|
|
|
+### Partial state
|
|
|
+
|
|
|
+Instead, we make a best-effort approximation.
|
|
|
+While the room is considered partially joined, Synapse tracks the "partial
|
|
|
+state" before events.
|
|
|
+This works in a similar way as regular state:
|
|
|
+
|
|
|
+- The partial state before `J` is that given to us by the partial join response.
|
|
|
+- The partial state before an event `E` is the resolution of the partial states
|
|
|
+ after each of `E`'s `prev_event`s.
|
|
|
+- If `E` is rejected or a message event, the partial state after `E` is the
|
|
|
+ partial state before `E`.
|
|
|
+- Otherwise, the partial state after `E` is the partial state before `E`, plus
|
|
|
+ `E` itself.
|
|
|
+
|
|
|
+More concisely, partial state propagates just like full state; the only
|
|
|
+difference is that we "seed" it with an incomplete initial state.
|
|
|
+Synapse records that we have only calculated partial state for this event with
|
|
|
+a row in `partial_state_events`.
|
|
|
+
|
|
|
+While the room remains partially stated, check 5 on incoming events to that
|
|
|
+room becomes:
|
|
|
+
|
|
|
+> 5. Passes authorization rules based on **the resolution between the partial
|
|
|
+> state before `E` and `E`'s auth events.** If the event fails to pass
|
|
|
+> authorization rules, it is rejected.
|
|
|
+
|
|
|
+Additionally, check 6 is deleted: no soft-failures are enforced.
|
|
|
+
|
|
|
+While partially joined, the current partial state of the room is defined as the
|
|
|
+resolution across the partial states after all forward extremities in the room.
|
|
|
+
|
|
|
+_Remark._ Events with partial state are _not_ considered
|
|
|
+[outliers](../room-dag-concepts.md#outliers).
|
|
|
+
|
|
|
+### Approximation error
|
|
|
+
|
|
|
+Using partial state means the auth checks can fail in a few different ways[^2].
|
|
|
+
|
|
|
+[^2]: Is this exhaustive?
|
|
|
+
|
|
|
+- We may erroneously accept an incoming event in check 5 based on partial state
|
|
|
+ when it would have been rejected based on full state, or vice versa.
|
|
|
+- This means that an event could erroneously be added to the current partial
|
|
|
+ state of the room when it would not be present in the full state of the room,
|
|
|
+ or vice versa.
|
|
|
+- Additionally, we may have skipped soft-failing an event that would have been
|
|
|
+ soft-failed based on full state.
|
|
|
+
|
|
|
+(Note that the discrepancies described in the last two bullets are user-visible.)
|
|
|
+
|
|
|
+This means that we have to be very careful when we want to lookup pieces of room
|
|
|
+state in a partially-joined room. Our approximation of the state may be
|
|
|
+incorrect or missing. But we can make some educated guesses. If
|
|
|
+
|
|
|
+- our partial state is likely to be correct, or
|
|
|
+- the consequences of our partial state being incorrect are minor,
|
|
|
+
|
|
|
+then we proceed as normal, and let the resync process fix up any mistakes (see
|
|
|
+below).
|
|
|
+
|
|
|
+When is our partial state likely to be correct?
|
|
|
+
|
|
|
+- It's more accurate the closer we are to the partial join event. (So we should
|
|
|
+ ideally complete the resync as soon as possible.)
|
|
|
+- Non-member events: we will have received them as part of the partial join
|
|
|
+ response, if they were part of the room state at that point. We may
|
|
|
+ incorrectly accept or reject updates to that state (at first because we lack
|
|
|
+ remote membership information; later because of compounding errors), so these
|
|
|
+ can become incorrect over time.
|
|
|
+- Local members' memberships: we are the only ones who can create join and
|
|
|
+ knock events for our users. We can't be completely confident in the
|
|
|
+ correctness of bans, invites and kicks from other homeservers, but the resync
|
|
|
+ process should correct any mistakes.
|
|
|
+- Remote members' memberships: we did not receive these in the /send_join
|
|
|
+ response, so we have essentially no idea if these are correct or not.
|
|
|
+
|
|
|
+In short, we deem it acceptable to trust the partial state for non-membership
|
|
|
+and local membership events. For remote membership events, we wait for the
|
|
|
+resync to complete, at which point we have the full state of the room and can
|
|
|
+proceed as normal.
|
|
|
+
|
|
|
+### Fixing the approximation with a resync
|
|
|
+
|
|
|
+The partial-state approximation is only a temporary affair. In the background,
|
|
|
+synapse beings a "resync" process. This is a continuous loop, starting at the
|
|
|
+partial join event and proceeding downwards through the event graph. For each
|
|
|
+`E` seen in the room since partial join, Synapse will fetch
|
|
|
+
|
|
|
+- the event ids in the state of the room before `E`, via
|
|
|
+ [`/state_ids`](https://spec.matrix.org/v1.5/server-server-api/#get_matrixfederationv1state_idsroomid);
|
|
|
+- the event ids in the full auth chain of `E`, included in the `/state_ids`
|
|
|
+ response; and
|
|
|
+- any events from the previous two bullets that Synapse hasn't persisted, via
|
|
|
+ [`/state](https://spec.matrix.org/v1.5/server-server-api/#get_matrixfederationv1stateroomid).
|
|
|
+
|
|
|
+This means Synapse has (or can compute) the full state before `E`, which allows
|
|
|
+Synapse to properly authorise or reject `E`. At this point ,the event
|
|
|
+is considered to have "full state" rather than "partial state". We record this
|
|
|
+by removing `E` from the `partial_state_events` table.
|
|
|
+
|
|
|
+\[**TODO:** Does Synapse persist a new state group for the full state
|
|
|
+before `E`, or do we alter the (partial-)state group in-place? Are state groups
|
|
|
+ever marked as partially-stated? \]
|
|
|
+
|
|
|
+This scheme means it is possible for us to have accepted and sent an event to
|
|
|
+clients, only to reject it during the resync. From a client's perspective, the
|
|
|
+effect is similar to a retroactive
|
|
|
+state change due to state resolution---i.e. a "state reset".[^3]
|
|
|
+
|
|
|
+[^3]: Clients should refresh caches to detect such a change. Rumour has it that
|
|
|
+sliding sync will fix this.
|
|
|
+
|
|
|
+When all events since the join `J` have been fully-stated, the room resync
|
|
|
+process is complete. We record this by removing the room from
|
|
|
+`partial_state_rooms`.
|
|
|
+
|
|
|
+## Faster joins on workers
|
|
|
+
|
|
|
+For the time being, the resync process happens on the master worker.
|
|
|
+A new replication stream `un_partial_stated_room` is added. Whenever a resync
|
|
|
+completes and a partial-state room becomes fully stated, a new message is sent
|
|
|
+into that stream containing the room ID.
|
|
|
+
|
|
|
+## Notes on specific cases
|
|
|
+
|
|
|
+> **NB.** The notes below are rough. Some of them are hidden under `<details>`
|
|
|
+disclosures because they have yet to be implemented in mainline Synapse.
|
|
|
+
|
|
|
+### Creating events during a partial join
|
|
|
+
|
|
|
+When sending out messages during a partial join, we assume our partial state is
|
|
|
+accurate and proceed as normal. For this to have any hope of succeeding at all,
|
|
|
+our partial state must contain an entry for each of the (type, state key) pairs
|
|
|
+[specified by the auth rules](https://spec.matrix.org/v1.3/rooms/v10/#authorization-rules):
|
|
|
+
|
|
|
+- `m.room.create`
|
|
|
+- `m.room.join_rules`
|
|
|
+- `m.room.power_levels`
|
|
|
+- `m.room.third_party_invite`
|
|
|
+- `m.room.member`
|
|
|
+
|
|
|
+The first four of these should be present in the state before `J` that is given
|
|
|
+to us in the partial join response; only membership events are omitted. In order
|
|
|
+for us to consider the user joined, we must have their membership event. That
|
|
|
+means the only possible omission is the target's membership in an invite, kick
|
|
|
+or ban.
|
|
|
+
|
|
|
+The worst possibility is that we locally invite someone who is banned according to
|
|
|
+the full state, because we lack their ban in our current partial state. The rest
|
|
|
+of the federation---at least, those who are fully joined---should correctly
|
|
|
+enforce the [membership transition constraints](
|
|
|
+ https://spec.matrix.org/v1.3/client-server-api/#room-membership
|
|
|
+). So any the erroneous invite should be ignored by fully-joined
|
|
|
+homeservers and resolved by the resync for partially-joined homeservers.
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+In more generality, there are two problems we're worrying about here:
|
|
|
+
|
|
|
+- We might create an event that is valid under our partial state, only to later
|
|
|
+ find out that is actually invalid according to the full state.
|
|
|
+- Or: we might refuse to create an event that is invalid under our partial
|
|
|
+ state, even though it would be perfectly valid under the full state.
|
|
|
+
|
|
|
+However we expect such problems to be unlikely in practise, because
|
|
|
+
|
|
|
+- We trust that the room has sensible power levels, e.g. that bad actors with
|
|
|
+ high power levels are demoted before their ban.
|
|
|
+- We trust that the resident server provides us up-to-date power levels, join
|
|
|
+ rules, etc.
|
|
|
+- State changes in rooms are relatively infrequent, and the resync period is
|
|
|
+ relatively quick.
|
|
|
+
|
|
|
+#### Sending out the event over federation
|
|
|
+
|
|
|
+**TODO:** needs prose fleshing out.
|
|
|
+
|
|
|
+Normally: send out in a fed txn to all HSes in the room.
|
|
|
+We only know that some HSes were in the room at some point. Wat do.
|
|
|
+Send it out to the list of servers from the first join.
|
|
|
+**TODO** what do we do here if we have full state?
|
|
|
+If the prev event was created by us, we can risk sending it to the wrong HS. (Motivation: privacy concern of the content. Not such a big deal for a public room or an encrypted room. But non-encrypted invite-only...)
|
|
|
+But don't want to send out sensitive data in other HS's events in this way.
|
|
|
+
|
|
|
+Suppose we discover after resync that we shouldn't have sent out one our events (not a prev_event) to a target HS. Not much we can do.
|
|
|
+What about if we didn't send them an event but shouldn't've?
|
|
|
+E.g. what if someone joined from a new HS shortly after you did? We wouldn't talk to them.
|
|
|
+Could imagine sending out the "Missed" events after the resync but... painful to work out what they shuld have seen if they joined/left.
|
|
|
+Instead, just send them the latest event (if they're still in the room after resync) and let them backfill.(?)
|
|
|
+- Don't do this currently.
|
|
|
+- If anyone who has received our messages sends a message to a HS we missed, they can backfill our messages
|
|
|
+- Gap: rooms which are infrequently used and take a long time to resync.
|
|
|
+
|
|
|
+### Joining after a partial join
|
|
|
+
|
|
|
+**NB.** Not yet implemented.
|
|
|
+
|
|
|
+<details>
|
|
|
+
|
|
|
+**TODO:** needs prose fleshing out. Liase with Matthieu. Explain why /send_join
|
|
|
+(Rich was surprised we didn't just create it locally. Answer: to try and avoid
|
|
|
+a join which then gets rejected after resync.)
|
|
|
+
|
|
|
+We don't know for sure that any join we create would be accepted.
|
|
|
+E.g. the joined user might have been banned; the join rules might have changed in a way that we didn't realise... some way in which the partial state was mistaken.
|
|
|
+Instead, do another partial make-join/send-join handshake to confirm that the join works.
|
|
|
+- Probably going to get a bunch of duplicate state events and auth events.... but the point of partial joins is that these should be small. Many are already persisted = good.
|
|
|
+- What if the second send_join response includes a different list of reisdent HSes? Could ignore it.
|
|
|
+ - Could even have a special flag that says "just make me a join", i.e. don't bother giving me state or servers in room. Deffo want the auth chain tho.
|
|
|
+- SQ: wrt device lists it's a lot safer to ignore it!!!!!
|
|
|
+- What if the state at the second join is inconsistent with what we have? Ignore it?
|
|
|
+
|
|
|
+</details>
|
|
|
+
|
|
|
+### Leaving (and kicks and bans) after a partial join
|
|
|
+
|
|
|
+**NB.** Not yet implemented.
|
|
|
+
|
|
|
+<details>
|
|
|
+
|
|
|
+When you're fully joined to a room, to have `U` leave a room their homeserver
|
|
|
+needs to
|
|
|
+
|
|
|
+- create a new leave event for `U` which will be accepted by other homeservers,
|
|
|
+ and
|
|
|
+- send that event `U` out to the homeservers in the federation.
|
|
|
+
|
|
|
+When is a leave event accepted? See
|
|
|
+[v10 auth rules](https://spec.matrix.org/v1.5/rooms/v10/#authorization-rules):
|
|
|
+
|
|
|
+> 4. If type is m.room.member: [...]
|
|
|
+ >
|
|
|
+ > 5. If membership is leave:
|
|
|
+ >
|
|
|
+ > 1. If the sender matches state_key, allow if and only if that user’s current membership state is invite, join, or knock.
|
|
|
+> 2. [...]
|
|
|
+
|
|
|
+I think this means that (well-formed!) self-leaves are governed entirely by
|
|
|
+4.5.1. This means that if we correctly calculate state which says that `U` is
|
|
|
+invited, joined or knocked and include it in the leave's auth events, our event
|
|
|
+is accepted by checks 4 and 5 on incoming events.
|
|
|
+
|
|
|
+> 4. Passes authorization rules based on the event’s auth events, otherwise
|
|
|
+ > it is rejected.
|
|
|
+> 5. Passes authorization rules based on the state before the event, otherwise
|
|
|
+ > it is rejected.
|
|
|
+
|
|
|
+The only way to fail check 6 is if the receiving server's current state of the
|
|
|
+room says that `U` is banned, has left, or has no membership event. But this is
|
|
|
+fine: the receiving server already thinks that `U` isn't in the room.
|
|
|
+
|
|
|
+> 6. Passes authorization rules based on the current state of the room,
|
|
|
+ > otherwise it is “soft failed”.
|
|
|
+
|
|
|
+For the second point (publishing the leave event), the best thing we can do is
|
|
|
+to is publish to all HSes we know to be currently in the room. If they miss that
|
|
|
+event, they might send us traffic in the room that we don't care about. This is
|
|
|
+a problem with leaving after a "full" join; we don't seek to fix this with
|
|
|
+partial joins.
|
|
|
+
|
|
|
+(With that said: there's nothing machine-readable in the /send response. I don't
|
|
|
+think we can deduce "destination has left the room" from a failure to /send an
|
|
|
+event into that room?)
|
|
|
+
|
|
|
+#### Can we still do this during a partial join?
|
|
|
+
|
|
|
+We can create leave events and can choose what gets included in our auth events,
|
|
|
+so we can be sure that we pass check 4 on incoming events. For check 5, we might
|
|
|
+have an incorrect view of the state before an event.
|
|
|
+The only way we might erroneously think a leave is valid is if
|
|
|
+
|
|
|
+- the partial state before the leave has `U` joined, invited or knocked, but
|
|
|
+- the full state before the leave has `U` banned, left or not present,
|
|
|
+
|
|
|
+in which case the leave doesn't make anything worse: other HSes already consider
|
|
|
+us as not in the room, and will continue to do so after seeing the leave.
|
|
|
+
|
|
|
+The remaining obstacle is then: can we safely broadcast the leave event? We may
|
|
|
+miss servers or incorrectly think that a server is in the room. Or the
|
|
|
+destination server may be offline and miss the transaction containing our leave
|
|
|
+event.This should self-heal when they see an event whose `prev_events` descends
|
|
|
+from our leave.
|
|
|
+
|
|
|
+Another option we considered was to use federation `/send_leave` to ask a
|
|
|
+fully-joined server to send out the event on our behalf. But that introduces
|
|
|
+complexity without much benefit. Besides, as Rich put it,
|
|
|
+
|
|
|
+> sending out leaves is pretty best-effort currently
|
|
|
+
|
|
|
+so this is probably good enough as-is.
|
|
|
+
|
|
|
+#### Cleanup after the last leave
|
|
|
+
|
|
|
+**TODO**: what cleanup is necessary? Is it all just nice-to-have to save unused
|
|
|
+work?
|
|
|
+</details>
|