Check sublist only when required.
Send the subs list in place instead of go routine (gateways have
different outbound/inbound connections so they don't suffer same
issue than routes)
Bump the default array size when collecting gateway connections
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
We now send A- if an account does not exists, or if there is no
interest on a given subject and no existing subscription.
An A+ is sent if an A- was previously sent and a subscription
for this account is registered.
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
Reworked fan in logic. We do not hold locks during IO, either read or write.
On scenarios where we can get behind mostly due to fan-in from fast producers
we detect and create a stall channel. Once we catch up we close the stall channel
to release all blocked producers. Producers have an upper bound on how long
they will be stalled.
Signed-off-by: Derek Collison <derek@nats.io>
If each server has a long list of subscriptions, when the route
is established, sending this list could result in each server
treating the peer as a slow consumer, resulting in a reconnect,
etc..
Also bumping the fan-in threshold for route connections.
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
When enabling verify and map as part of its TLS config
a the subject from TLS cert can now be used to confirm
the identity of a gateway.
```
gateway {
tls {
cert_file = "./configs/certs/tlsauth/server.pem"
key_file = "./configs/certs/tlsauth/server-key.pem"
ca_file = "./configs/certs/tlsauth/ca.pem"
verify_and_map = true
timeout = 2
}
authorization {
user = "CN=localhost,OU=NATS.io Operators"
}
}
```
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
Similar as with clients, this makes it possible to
use the subject from a TLS certificate to validate
the permissions from a cluster member.
Currently only a single configured user is supported:
```
cluster {
tls {
cert_file = "./configs/certs/tlsauth/server.pem"
key_file = "./configs/certs/tlsauth/server-key.pem"
ca_file = "./configs/certs/tlsauth/ca.pem"
verify_and_map = true
timeout = 2
}
permissions {
publish {
allow = ["public.>"]
}
subscribe {
allow = ["public.>"]
}
}
authorization {
user = "CN=localhost,OU=NATS.io Operators"
}
}
```
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
1. Change outbound client structure to be smaller and more cache friendly.
2. Snapshot MaxControlLine into client structure (mcl) to avoid server opts lookup.
Signed-off-by: Derek Collison <derek@nats.io>
There is a possibility that a partial write results in data
not being sent in a timely fashion to a subscription.
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
