NoSQL For Dummies (2015)
Part I. Getting Started with NoSQL
Chapter 3. Evaluating NoSQL
In This Chapter
Balancing technical requirements
Assessing costs
Maintaining database systems
So you’ve decided you need a NoSQL solution, but there are oh so many options out there. How to decide?
Well, you begin by writing a Request for Information (RFI) and send it to potential suppliers. You’re not a NoSQL expert, but you know what you like! Unfortunately, you also know that the vendors’ responses to all your questions will be, “Yes, we can do that!”
So, your job is to separate the wheat from the chaff, and that’s the purpose of this chapter. My intention is to help you identify the differences among the many options and to make your post-RFI analysis much easier.
The Technical Evaluation
When performing a technical evaluation of products, it’s tempting to create a one-size-fits-all matrix of features and functions against which you evaluate all products.
When assessing NoSQL options, though, this approach rapidly falls apart. NoSQL is too broad a category. With traditional relational database management systems, you can request things like “SQL support” or “Allows modifying the schema without system restart.”
The range of NoSQL databases means one database may be strong in managing documents, whereas another is strong in query performance. You may determine that you need multiple products, rather than carrying out a simple one-size-fits-all box-ticking beauty pageant.
This section narrows your focus before embarking on the creation of a compliance matrix for your evaluations. By doing so, you can ask the right questions about the right products and do a high-value evaluation.
Which type of NoSQL is for you?
The first question is what does your data look like? Unlike relational databases, where it’s a given that the data model includes tables, rows, columns, and relationships, NoSQL databases can contain a wide variety of data types.
Table 3-1 matches data types with the NoSQL database you may want to consider.
Table 3-1 NoSQL Data Management Use Cases
|
Data to Manage |
NoSQL Database |
|
Trade documents (FpML), Retail insurance policies (ACORD), healthcare messages, e-form data |
Document database with XML support |
|
Monthly data dumps in text delimited (CSV, TSV) files, or system/web log files |
Bigtable clone for simple structures Document database for very complex structures |
|
Office documents, emails, PowerPoint |
Document database with binary document text and metadata extraction support |
|
Web application persistent data (JavaScript Object Notation — JSON) |
Document database with JSON support and a RESTful API |
|
Metadata catalog of multiple other systems (for example, library systems) |
Bigtable for simple list of related fields and values Document database for complex data structures or full text information |
|
Uploaded images and documents for later retrieval by unique ID |
Key-value store for simple store/retrieval Document store with binary text extraction and search for more complex requirements |
|
RDF, N-Triples, N3, or other linked (open) data |
Triple store to store and query facts (assertions) about subjects Graph store to query and analyze relationships between these subjects |
|
Mix of data types in this table |
Hybrid NoSQL database |
Search features
You can narrow the field of databases if you consider how data is managed and how it’s revealed to users and other systems.
Query versus search
An entire book can be filled on discussing query versus search. However, requirements tend to fit on a sliding scale of functionality from simple to complex:
· Any NoSQL database should be able to handle basic queries. Retrieving a record by an exact property, value, or ID match is the minimum functionality you need in a database. This is what key-value stores provide. These basic queries match exact values, such as
· By the record’s unique ID in the database
· By a metadata property associated with the record
· By a field within the record
· Comparison queries, also commonly called range queries, find a stored value within a range of desired values. This can include dates, numbers, and even 2D geospatial coordinates, such as searching:
· By several matching fields, or fields within a range of values
· By whether a record contains a particular field at all (query on structure)
Comparison queries typically require a reverse index, where target values are stored in sequence, and record IDs are listed against them. This is called a Term List.
· Handling of free text, including more advanced handling such as language selection, stemming, and thesaurus queries, which are typically done by search engines. In the NoSQL world (especially document NoSQL databases), handling unstructured or poly-structured data is the norm, so this functionality is very desirable for such a use case, including support for searching:
· By a free text query
· By a stemmed free text query (both cat and cats stem to the word cat) or by a thesaurus
· By a complex query (for example, geospatial query) across multiple fields in a record
· By calculating a comparison with a query value and the value within a record’s data (for example, calculated distance of five miles based on a point within a record, and the center of a City — Finding hotels in London.)
Some databases have these search functions built in, whereas others integrate an Apache Lucene-based search index or an engine such as Solr.
· In the world of analytics, you calculate summaries based on the data in matching records, and perhaps as compared to the search criteria. It’s common to calculate relevancy based on distance from a point, instead of simply returning all records within a point and radius geospatial query. So, too, is returning a heat map of the data rather than all matching data. These tools are useful for complex searches such as the following:
· By calculating the above while returning a summary of all results (for example, heat map, facetted search navigation, co-occurrence of fields within records)
· By an arbitrarily complex set of AND / OR / NOT queries combining any of the previously mentioned query terms
· By including the above terms in a giant OR query, returning a higher relevancy calculation based on the number of matches and varying weights of query terms
· 
Facetted search navigation where you show, for example, the total number of records with a value of Sales in the Department field is also useful. This might be shown as “Department — Sales (17)” in a link within a user interface. Faceting is particularly useful when your result list has 10,000 items and you need to provide a way to visually narrow the results, rather than force the user to page through 10,000 records.
Timeliness
Search engines were originally developed to over time index changes of data sources that the search engine didn’t control. Engines like Google aren’t informed when every web page is updated, so they automatically index websites based on a schedule, for example:
· Rapidly changing and popular websites like BBC News and CNN may be indexed every few minutes.
· The index of an average person's blog may be updated weekly.
The timeliness of indexes’ updates is very important for some organizations. Financial regulators, for example, now need a near-live view of banks’ exposure to credit risks — an overnight update of this vital information is no longer sufficient.
If your information retrieval requirements are nearer the search end of the spectrum than the basic query end, then you need to seriously consider timeliness. If this describes you, I suggest considering two products:
· A NoSQL database for data
· A separate search engine like Solr or Elasticsearch for your search requirements
Having these two products installed separately may not be sufficient to guarantee timely access to new data. Even if you can use a NoSQL database distribution that comes with Solr integrated, the indexes may not be updated often enough for your needs. Be sure to check for this functionality when talking to vendors.
When timely updating of search indexes is required, consider a hybrid NoSQL solution that includes advanced search functionality, and definitely ACID compliance in a single product. Sometimes, this may be a case for using Solr built on Lucene as a document store, but many organizations need a full-blown commercial system like MarkLogic with both advanced data management and search capabilities built in.
ACID compliance means the database provides a consistent view over the data — so there’s no lag between the time the data is saved and the time it’s accessible. Without an ACID compliant fully consistent view, the search index can never be real time.
A NoSQL database with indexes that are used by both the database and the search functionality means that when a document is saved, the search indexes are already up to date, in real time.
RFI questions
The following sample questions identify key required features about information retrieval, ranging from simple to advanced query and search functionality.
In this chapter, I use some common conventions for vendor specification questions:
· I use these common abbreviations:
· TSSS = The System Should Support
· TSSP = The System Should Provide
· TSSE = The System Should Ensure
· I use the term “record,” but you may change it to “document,” “row,” “subgraph” or “subject” when appropriate.
General data storage question examples:
· TSSS storing and retrieving a record by a unique key
· TSSS indexes over record fields for fast single-key retrieval of matching records
· TSSS not requiring additional compound indexes for retrieval of records by multiple keys
Forcing the creation of additional compound indexes can adversely affect storage, and means you need to consider up front every possible query combination of fields.
· TSSS indexing a range of intrinsic field types (such as Boolean, text, integer, and date)
· TSSS word, stem, and phrase full-text searching across a record
· TSSS word, stem and phrase full-text searching limited to a set of fields in a record
· TSSS range queries, such as dates or integers within a particular range
· TSSS returning part of a record as a match (as an alternative to returning a complete, long record)
· TSSS queries including multiple query terms
· TSSS limiting a query (or query terms) to a specific subset of a record (normally for complex document NoSQL stores — for example, just the “patient summary” section)
· TSSS returning configurable text snippets along with matches of a query
· TSSS custom snippeting to return matching data segments, not limited to just text matches (for example, returning a three-minute partial description of a five-hour video’s metadata that matches the query, rather than returning the whole five hour video and forcing the user to find the segment manually)
· TSSS, a configurable Google-like grammar for searches beyond simple word queries (for example, NoSQL AND author:Adam Fowler AND (publication GT 2013))
· TSSS queries with compound terms (terms containing multiple terms) down to an arbitrary depth
· TSSS geospatial queries for points held within records that match an area defined by a bounding box, point-radius, and arbitrarily complex polygon
For timeliness, include these questions:
· TSSE that search indexes are up to date within a guaranteed x minute window of time from the time a record is updated
· TSSE that search indexes are up to date at the same time as the record update transaction is reported as complete (that is, real-time indexing)
· TSSS updating multiple records within the boundary of a single ACID transaction
Be sure the vendor guarantees that all sizing and performance figures quoted are for systems that ensure ACID transactions and real-time indexing. Many vendors often ascertain their quotes with these features turned off, which leads to inaccurate estimates of performance for NoSQL databases on the web.
Scaling NoSQL
One common feature of NoSQL systems is their ability to scale across many commodity servers. These relatively cheap platforms mean that you can scale up databases by adding a new server rather than replace old hardware with new, more powerful hardware in a single shot.
There are high-volume use cases that will quickly force you to scale out. These include
· You receive status reports and log messages from across an IT landscape. This scenario requires fast ingest times, but it probably doesn’t require advanced analysis support.
· You want high-speed caching for complex queries. Maybe you want to get the latest news stories on a website. Here, read caches take prominence over query or ingest speeds.
The one thing common to the performance of all NoSQL databases is that you can’t rely on published data — none of it — to figure out what the performance is likely to be on your data, for your own use case.
You certainly can’t rely on a particular database vendor’s promise on performance! Many vendors quote high ingest speeds against an artificial use case that is not a realistic use of their database, as proof of their database’s supremacy.
However, the problem is that these same studies may totally ignore query speed. What’s the point in storing data if you never use it?
These studies may also be done on systems where key features are disabled. Security indexes may not be enabled, or perhaps ACID transaction support is turned off during the study so that data is stored quickly, but there’s no guarantee that it’s safe.
This all means that you must do your own testing, which is easy enough, but be sure that the test is as close to your final system as possible. For example, there’s no point in testing a single server if you plan to scale to 20 servers. In particular, be sure to have an accurate mix of ingesting, modifying, and querying data.
Consider asking your NoSQL vendor these questions:
· Can you ensure that all sizing and performance figures quoted are for systems that ensure ACID transactions during ingest that support real-time indexing, and that include a realistic mix of ingest and read/query requests?
· Does your product provide features that make it easy to increase a server’s capacity?
· Does your product provide features that make it easy to remove unused server capacity?
· Is your product’s data query speed limited by the amount of information that has to be cached in RAM?
· Does your product use a memory map strategy that requires all indexes to be held in RAM for adequate performance (memory mapped means the maximum amount of data stored is the same as the amount of physical RAM installed)?
· Can your database maintain sub-second query response times while receiving high-frequency updates?
· Does the system ensure that no downtime is required to add or remove server capacity?
· Does the system ensure that information is immediately available for query after it is added to the database?
· Does the system ensure that security of data is maintained without adversely affecting query speed?
· Does the system ensure that the database’s scale-out and scale-back capabilities are scriptable and that they will integrate to your chosen server provisioning software (for example, VMWare and Amazon Cloud Formation)?
Keeping data safe
As someone who has an interest in databases, I’m sure you’re used to dealing with relational database management systems. So, you trust that your data is safe once the database tells you it’s saved. You know about journal logs, redundant hard disks, disaster recovery log shipping, and backup and restore features.
However, in actuality, not all databases have such functionality in their basic versions, right out of the box. In fact, very few NoSQL databases do so in their basic versions. These functions tend to be reserved only for enterprise or commercial versions.
So, here are a few guidelines that can help you decide which flavor of a NoSQL database to use:
· If you choose open-source software, you’ll be buying the enterprise version, which includes the preceding features, so you might as well compare it to commercial-only NoSQL databases.
· The total cost of these systems is potentially related more to their day-to-day manageability (in contrast to traditional relational database management systems) — for example, how many database administrators will you need? How many developers are required to build your app?
· You need to be very aware of how data is kept safe in these databases, and challenge all vendor claims to ensure that no surprises crop up during implementation.
The web is awash with stories from people who assumed NoSQL databases had all of these data safety features built in, only to find out the hard way that they didn’t.
Sometimes the problems are simply misunderstandings or misconfigurations by people unfamiliar with a given NoSQL database. Other times, though, the database actually doesn’t have the features needed to handle the workload and the system it’s used on.
A common example relates to MongoDB’s capability for high-speed data caching. Its default settings work well for this type of load. However, if you’re running a mission-critical database on MongoDB, as with any database, you need to be sure that it’s configured properly for the job, and thoroughly tested.
Here are some thoughts that can help you discover the data safety features in NoSQL databases:
· The vendor should ensure that all sizing and performance figures quoted are for systems that ensure strongly consistent (ACID) transactions during ingest, real time indexing, and a real-life mix between ingest and read/query requests.
· Vendor should provide information about cases in which the database is being used as the primary information store in a mission-critical system. This should not include case studies where a different database held the primary copy, or backup copy, of the data being managed.
· TSSE that, once the database confirms data is saved, it will be recoverable (not from backups) if the database server it’s saved on fails in the next CPU clock cycle after the transaction is complete.
· Does the database ensure data is kept safe (for example, using journal logs or something similar)?
· Does the system support log shipping to an alternative DR site?
· TSSE that the DR site’s database is kept up to date. How does your database ensure this? For example, is the DR site kept up to date synchronously or asynchronously? If asynchronously, what is the typical delay?
· TTSP audit trails so that both unauthorized access and system problems can be easily diagnosed and resolved.
· What level of transactional consistency does your database provide by default (for example, eventual consistency, check and set, repeatable read, fully serializable)?
· What other levels of transactional consistency can your database be configured to use (for example, eventual consistency, check and set, repeatable read, fully serializable)? Do they include only the vendor’s officially supported configurations?
· What is the real cost of a mission-critical system?
· Ask the vendor to denote which versions of its product fully support high availability, disaster recovery, strong transactional consistency, and backup and restore tools.
· Ask the vendor to include the complete list price for each product version that achieves the preceding requirements for five physical Intel 64 bit servers with 16 cores, with each running on Red Hat Enterprise Linux. This provides an even playing field for comparing total cost of ownership.
Visualizing NoSQL
Storing and retrieving large amounts of data and doing so fast is great, and once you have your newly managed data in NoSQL, you can do great things, as I explain next.
Entity extraction and enrichment
You can use database triggers, alert actions, and external systems to analyze source data. Perhaps it’s mostly free text but mentions known subjects. These triggers and alert actions could highlight the text as being a Person or Organization, effectively tagging the content itself, and the document it lays within.
A good example is the content in a news article. You can use a tool like Apache Stanbol or OpenCalais to identify key terms. These tools may see “President Putin” and decide this relates to a person called Vladimir Putin, who is Russian, and is the current president of the Russian Federation.
Other examples include disease and medication names, organizations, topics of conversation, products mentioned, and whether a comment was positive or negative.
These are all examples of entity extraction (which is the process of automatically extracting types of objects from their textual names). By identifying key terms, you can tag them or wrap them in an XML element, which helps you to search content more effectively.
Entity enrichment means adding information based on the original text in addition to identifying it. In the Putin example, you can turn the plain text word “Putin” into <Person uid=”Vladimir-Putin”>President Putin</Person>. Alternatively, you can turn “London” into <Place lon=”-0.15” lat=”52.5”>London</Place>.
You can show this data in a user interface as highlighted text with a link to further information about each subject.
You can provide enrichment by using free-text search, alerting, database triggers, and integrations to external software such as TEMIS Luxid and SmartLogic.
Search and alerting
Once you store your information, you may want to search it. Free-text search is straightforward, but after performing entity extraction, you have more options. You can specifically search for a person named “Orange” (as in William of Orange) rather than search records that mention the term orange — which, of course, is also a color and a fruit.
Doing so results in a more granular search. It also allows faceted navigation. If you go to Amazon and search for Harry Potter, you’ll see categories for books, movies, games, and so on. The product category is an example of a facet, which shows you an aspect of data within the search results — that is, the most common values of each facet across all search results, even those not on the current page.
User interfaces can support rich explorations into data (as well as basic Google-esque searches). Users can also utilize them to save and load previous searches.
You can set up saved search criteria so that alerts are activated when newly added records match that criteria. So, if a new record arrives that matches your search criteria, an action occurs. Perhaps “Putin” becomes <Person>Putin</Person, or perhaps an email lets you know a new scientific article has been published.
Not all search engines are capable of making every query term an alert. Some are limited to text fields; others can’t do geospatial criteria. Be sure yours can handle the alerts you need to configure.
Aggregate functions
Once you find relevant information, you may want to dig deeper. Depending on the source, you might ask how many countries have a GDP of greater than $400 billion, or what’s the average age of all the members in your family tree, or where do the most snake bites occur in Australia. These examples illustrate how analytics are performed over a set of search results. These are count, mean average, and geospatial heat map calculations, respectively.
Being able to make such calculations next to the data offers several advantages. The first advantage is that you can use the indexes to speed things up. Secondly, these indexes are likely to be cached in memory, making them even faster. Thirdly, in memory indexes are particularly useful for a NoSQL database using Hadoop File System (HDFS) storage. HDFS doesn’t do native indexing or in-memory column stores for fast aggregation calculations itself — it requires a NoSQL database on top to do this.
Facetted navigation is an example of count-based aggregations over search results that show up in a user interface. The same is true for a timeline showing the number of records that mention a particular point in time. For example, do you want to show results from this year, this month, or this hour?
If you want this functionality, be sure your database has the ability to calculate aggregates efficiently next to the data. Most NoSQL databases do, but some don’t.
Charting and business intelligence
The next obvious user-interface extension involves charting and viewing table summaries for live management information and historical business intelligence analysis.
Most NoSQL databases provide an easy-to-integrate REST API in their databases. This means you can plug in a range of application tiers, or even directly connect JavaScript applications to these databases. A variety of excellent charting libraries are available for JavaScript. You can even use the R Ecosystem to create charts based on data held in these databases, after installing an appropriate database connector.
Some NoSQL databases even provide an ODBC or JDBC relational database plug-in. Creating indexes within a given record and showing them as a relational view is a neat way to turn unstructured data in a NoSQL document database into data that can be analyzed with a business intelligence tool.
Check whether your NoSQL database vendor provides visualization tools or has business partners with tools than can connect to these databases. In vogue tools include Tableau Server, which is a modern shared business intelligence server that supports publishing interactive reports over data in a variety of databases, including NoSQL databases.
Extending your data layer
A database does one thing very well: It stores data. However, because all applications need additional software to be complete, it’s worth ensuring that your selected NoSQL database has the tools and partner software that provide the extended functionality you require.
Not ensuring that extended functionality is supported will mean you will end up installing several NoSQL databases at your organization. This means additional cost in terms of support, training and infrastructure. It’s better to be sure you select a NoSQL database that can meet the scope of your goals, either through its own features or through a limited number of partner software products.
The ability to extend NoSQL databases varies greatly. In fact, you might think that open-source software is easy to extend; however, just because its API is public, doesn’t mean it’s documented well enough to extend.
Whether you select open-source or commercial software, be sure the developer documentation and training are first rate. You may find, for example, that commercial software vendors have clearer and more detailed published API documentation, and well-documented partner applications from which you can buy compatible software and support.
These software extensions can be anything useful to your business, but typically they are on either the ingest side or the information analysis side of data management rather than purely about storage. For example, extract, transform, and load (ETL) tools from the relational database world are being slowly (slowly) updated for NoSQL databases. Also partner end user applications are emerging with native connectors. The Tableau Business Intelligence (BI) tool, for example, includes native connectors for NoSQL databases.
Ingestion connectors to take information from Twitter, SharePoint, virtual file systems, and combine this data may be useful. Your own organization’s data can be combined with reference data from open data systems (for example, data.gov, data.gov.uk, geonames, and dbpedia websites). These systems typically use XML, JSON or RDF as open data formats, facilitating easier data sharing.
Integration with legacy apps is always a problem. How do you display your geospatially enriched documents within a GIS tool? It’s tricky. Open standards are key to this integration and are already widely supported. Examples are GeoJSON, OGC WFS, and WMS mapping query connectors.
File-based applications are always a bit of a problem. It’s a logical next step to present a document database as a file system. Many NoSQL databases support the old and clunky WebDAV protocol. Alas, as of yet, no file system driver has become prevalent. Some NoSQL databases are bound to go this way, though.
Ask your NoSQL vendors about their supported partner applications and extensions. These may cost less than building an extended solution yourself, or paying for vendors’ professional services.
The Business Evaluation
Technical skills are very necessary in order for you to build a successful application. What is as important, but all too often given much lower priority, is the business evaluation.
Writing the code is one thing, but selecting a database which has a community of followers, proven mission critical success, and people and organizations to call on for help when you need it is just as important.
In this section, I describe some of the areas of the non-technical, or business evaluation, you should consider when evaluating NoSQL databases.
Developing skills
NoSQL is such a fast-growing area that the skills required to use it can’t keep up, and with so many different systems, there aren’t any open standards equivalent to those for SQL in the relational database world.
Therefore, it’s a good idea to find and employ or contract, at the right price, those people who have expertise in the database you select. Also, be sure that you can find online or in-person training. In doing so, don’t accept, outright, people’s LinkedIn profiles in which experience with MongoDB is listed — sometimes it’s listed only because it’s a very popular database and the person is looking for a job when in fact they haven’t any proven delivery experience with that database. So, you want to be sure they’re actually skilled in the database you’re using.
Getting value quickly
NoSQL databases make it easy to load data, and they can add immediate value. For example, if early on you solve a few high-value business cases, you may get financial and management backing for larger projects. With this background, you will be able to deploy new applications quickly — potentially stealing a march on your competitors and having fun with awesome new databases in the process!
So, start by identifying high-value solutions for a few difficult, well-scoped, business problems and perform some short-term research projects on them. Use a selection of NoSQL databases during the project’s initial phases, and check whether vendor-specific extensions can help you achieve your aims. In NoSQL, vendor lock-in is a given because every product is so different — you may as well embrace the database that best fits your needs.
Having said this, the situation is improving. XML and JSON are the defacto information interchange formats now. In the semantic technology space standards like RDF and SPARQL are the predominant standards. Adopting these long term enables you to switch vendors, but at the moment the fragmented nature of implementation of some of these standards means you may well be better off adopting database specific extensions.
Finding help
With any software product, there comes a point where you need to ask for help. Finding answers on StackOverflow.com is one thing, but in a real-life project, you may come upon a knotty problem that’s unique to your business.
In this situation, web searches probably can’t help you. You need an expert on the database you’re using. Before selecting a database, be sure you can get help when you need it. This could be from freelance consultants or NoSQL software vendors themselves.
Check the price tag, though, before selecting a database — some vendors are charging double the day rate of others for a consultant to be on site. By handing software out for free or very cheaply they have to make their money somewhere!
24 hour, 7 day, 365 day a year dedicated support is also a very good idea for mission critical solutions. “Follow the sun” problem resolution models will also help fix problems quickly. Some vendors’ support staff are less technical IT support people, whereas other vendors use actually engineers able to take your problem through to resolution themselves. This is quicker than having to wait for the right time zone for a few third level support engineers to get to work in the morning.
Deciding on open-source versus commercial software
Many people are attracted to open-source software because of the price tag and the availability of online communities of expertise. I use open-source software every day in my job — it’s essential for me, and it may well be essential for you, too.
The good news is that you can find a lot of open-source NoSQL vendors and commercial companies that sell support, services, and enterprise versions of their software.
Here are a few reasons to use open-source software in the first place:
· Freely available software: This kind of software has been downloaded and tried by others, so some developers are at least familiar with it; and people spend time contributing only to the development of software they consider valuable or are passionate about.
· Sites like StackOverflow.com: Sites like StackOverflow.com are full of fixes, and someone has probably approached these sites with problems you’re likely to encounter.
· Try before you buy: With open-source software, you can become familiar with a free version of software before sinking your annual budget into purchasing an enterprise, fully supported version.
Conversely, there are several good reasons for buying and using commercial NoSQL databases instead:
· Documentation: Product documentation is usually much more complete and in-depth than open-source software.
· Support: These companies may offer global 24/7 support and will have trainers, consultants, and sales engineers that can travel to your office to show you how their software can help you — good for getting support for internal proof of concept and business cases.
· Rationale: These companies make money by selling software, not consulting services — their day rates may be lower than those selling add-ons and support for open source databases, which can reduce the cost of implementation.
· Products: Products usually have many more built-in enterprise features than open-source ones do, which means you need fewer add-on modules and services.
· Freebies: Because of the overwhelming number of open-source options, commercial companies now offer free or discounted training and free, downloadable versions of their products that you can use and evaluate.
Building versus buying
As I alluded to earlier, many open-source NoSQL vendors make their money by offering commercial support and services rather than by selling software.
Many open-source NoSQL products are also very new, so not all the features you may need are readily available in the software. As a result, you are likely to spend money on paying for services to add this functionality.
Many organizations have internal technical teams, especially in financial services companies and in some defense and media organizations. Because financial services companies take any advantage they can get to make a profit, so they hire very capable staff.
Your organization may also have a skilled staff. If so, “Congratulations,” because you’re the exception rather than the rule! If you’re in this situation, you may be able to add the extra features yourself, rather than buy expensive services.
However, most organizations aren’t in this position, so it’s worth checking out the “additional” features in commercial software, even if they don’t provide every single feature you want of the box, but allow you to build those features faster.
It’s easy to burn money paying for software to be built to fix deficiencies in open source software. Consider the total cost of ownership of any future NoSQL database.
Evaluating vendor capabilities
Whom to trust? Trusting no one, like Fox Mulder (remember, The X-Files) only gets you so far. Eventually, you must take the plunge and choose a firm to help you in your endeavors.
Small companies may be local, independent consultancies or smaller NoSQL vendors. They offer a couple of advantages:
· Small vendors may be more tuned into your industry or geography. They’re particularly useful in small countries or sectors where large commercial companies don’t often venture.
· Small vendors tend to be flexible — because you’re likely to be a major percentage of their annual income, as well as a useful addition to their portfolio.
Small vendors may be prone to financial troubles and downturns. Also, they may not have enough personnel to service and support your organization’s expanded use of a NoSQL database.
Large (usually commercial) software companies typically have their own strengths:
· Large companies have a greater reach and more resources — both human and financial — to call on.
· If you have a problem that needs to be solved fast, these companies may be better placed to help you than smaller companies are.
Large companies have broader experiences than smaller companies have, which means the bigger companies have probably dealt with unique edge cases. So, if you have a unique requirement, these companies may have people who’ve dealt with similar problems.
Finding support worldwide
You want to find out whether local support is available, as either service consultants or engineering and product support personnel. Be sure you can contact them in your time zone and that they speak your language fluently. Perhaps you can request a meeting with their local support leader before signing a contract.
In government organizations, security is paramount. In some countries, a support person who’s reviewing log files and handling support calls for public sector systems must have proper security clearance, and this is true even for unclassified civilian systems. Usually, these stringent requirements are due to government organizations having suffered data losses or theft in the past. Be sure these people are available if you work in the public sector.
Expanding to the cloud
Many organizations outsource the delivery and support of their IT services to a third party. When provisioning new hardware or applications, this process is typically ongoing. It can also prove costly.
NoSQL databases often are used to solve emerging problems rapidly. Agile development is the norm in delivering the solutions to these problems. This is particularly the case when systems need to go into production within six months or so.
Many organizations are now moving to the cloud for their provisioning and servicing needs in order to make delivery of new IT systems less expensive and more agile. Be sure your NoSQL database can be used in these environments.
Several NoSQL products have specific management features in a cloud environment. Their management APIs can be scripted and integrated with existing systems management tools. Ask your vendor what support it has with the cloud environment you choose.
Getting Support
All sophisticated IT systems have features that become acutely important if they’re being used for business or mission-critical jobs. This section details many enterprise class features that you may want to consider if you’re running business critical workloads.
Business or mission-critical features
If your organization’s reputation or its financial situation will suffer if your system fails, then your system is, by definition, an enterprise class system.
A good example of such a system in the financial services world is a trade management system. Billions of dollars are traded in banks every day. In this case, if your system were to go down for a whole day, then the financial and reputational costs would be huge — and potentially fatal to your business.
The consequences of a failure in a government system might be politically embarrassing, to both executives and those implementing the systems! A possible and more serious side effect, though, might be the risk of life and limb. For example, take a military system monitoring advancing troops. If it were to fail for a day, troops might be put in harm's way.
In the civilian sphere, certainly in the UK and the European Union, primary healthcare systems manage critical information. In the UK, there are what’s called Summary Care Records in which patient information is held and shared if needed — for example, information about allergies and medications. If a person is rushed to a hospital, this record is consulted. Without this information on hand, it’s possible that improper care might be given.
Vendor claims
Often, people confuse a large enterprise customer with a large enterprise system. Amazon, for example, is definitely a large-enterprise organization. Everyone is familiar with this organization, so naturally vendors will mention Amazon in their marketing material if they have sold their software to Amazon. If this software is for printing labels on HR folders though, it’s not a mission critical enterprise system. Treat vendor claims with suspicion unless you know exactly how these organizations are using the NoSQL databases you are considering.
It’s worth reading the small print of these vendors’ customer success stories:
· If a database is used to store customer orders and transactions, then it’s a mission-critical enterprise system.
· If a database is used behind an internal staff car sharing wiki page, then it’s most definitely not a mission-critical application.
Some systems fall in between the preceding definitions of enterprise and non-enterprise systems. Consider, for example, a database that caches thumbnail images of products on an e-commerce website. Technically, an e-commerce app is mission-critical. If the images weren’t available for a full day, that company might well have a major problem. In this scenario, it doesn’t take much to imagine that the retailer’s reputation might be damaged.
But back to Amazon. If you’re buying this book from Amazon (and please do), you probably don’t care about thumbnail images. If the database storing just the thumbnail images were to fail, you would still be able to place orders; therefore, this aspect of the system isn’t really mission-critical, unlike the preceding situation with the e-commerce retailer’s system.
Vendors who mention a minor system and an enterprise customer in the same breath aren’t trying to deceive you. It’s perfectly natural for a software vendor to want to shout about a large enterprise customer from the rooftops . . . not that you’d listen! It’s more an issue with the English language.
So, when selecting a NoSQL database, be aware of the difference between an enterprise customer and an enterprise system. Ask vendors exactly how their customers use their database software and how critical that part of the system is to the large enterprise’s bottom line.
Enterprise system issues
When you’re trying to figure out whether a database will work in a mission critical-system, certain issues are obvious — for example, when running a large cluster in which one server fails, the service as a whole is still available.
In this section, I cover these types of system maintenance issues along with disaster recovery and backups.
Perhaps less obvious enterprise issues are about how particular parts of the system work. Two main factors in an enterprise system are durability and security:
· Durability relates to a database’s ability to avoid the loss of data. (You may think a database shouldn’t be called a database unless it guarantees that you can’t lose data, but in the NoSQL world durability isn’t a given.)
· Security is essential to many customers. Think, here, about health records or military intelligence systems, as I mentioned earlier in the chapter.
This section treats these issues as being equally important with high availability and disaster recovery because they are as important, if not vital, for the organizations that need them. I include examples of databases which support these features in each subsection so you can decide which one might meet your requirements.
Security
Although security is a concern for all applications, it’s a particular concern for certain types of applications. Earlier I talked about how a failed system can harm financial services and government entities; the same is true in terms of security for their databases.
When it comes to dealing with security-related issues, you can choose from a variety approaches. In this section, I cover issues and approaches related particularly to the security of NoSQL databases.
If you think that you can implement security in a layer of an application layer rather than in the database, you’re right. However, why spend the time, effort, and money required to do so if you can purchase a database with built-in security features?
Doing otherwise will risk making security an afterthought, with programmers instead spending most of their time on end-user features rather than fundamental system architecture like ensuring security of data.
Given the amount of money you would spend writing in security features and the risks to your reputation and finances if you were to have a security breach, I recommend a security in depth approach. That is, buy a product with security features you need built in, rather than try to develop them yourself or rely on application developers to do so.
Role-based access control
One of the most common methods of securing data is to assign each record (or document or graph, depending on your database type) with a set of permissions linked to roles. This is role-based access control, or RBAC for short.
Consider a news release for a website that is being stored in a document (aggregate) NoSQL database. The editor role may have update permissions for the document, whereas a more public role may have only read permissions.
This use case requires assigning role permissions, not user permissions. Users can be assigned to one or more roles. Thus, users inherit permissions based on the sum of their roles.
Having to create a role in order to give a user permission to perform a particular function may seem like extra work, but this approach is very useful. Consider a user who moves to another department or who leaves entirely. You don’t want to have to look manually for every document whose permissions mention this user and change or remove them. Instead just change that user’s role assignments in a single operation. Using role-based access control (RBAC) is much easier for long-term maintenance of security permissions.
Watch how databases handle permissions and role inheritance. Consider underwriters in an insurance company, where there may be trainee, junior, and senior underwriters, each with increasing access to different types of information.
You could assign the junior underwriters the permissions the trainees are assigned, plus a few more. Then you could assign all the junior underwriters’ permissions to senior underwriters, plus a few more, again. If you want to add extra permissions to all these roles, though, you have to make three identical changes.
If you have five levels of roles, that’s five copies. Also, every system will have a multitude of roles like these. Personally, I’m far too lazy to perform the same mundane task over and over again. Plus, it wastes an employee’s time and the organization’s money.
There is a better way: Role inheritance.
Some systems include role inheritance. In this case, the JuniorUnderwriter role inherits from the TraineeUnderwriter role, and the SeniorUnderwriter role inherits from the JuniorUnderwiter role. Now all you need to do to add a permission to all roles is to add it to only the TraineeUnderwriter role (the lowest level of inheritance), and all roles will inherit the permission. Role inheritance is much easier to understand and maintain.
Role permission logic is generally implemented with OR logic. That is, if you assign three roles — RoleA, RoleB, and RoleC — to a record with a read permission, a user has this permission if he has RoleA OR RoleB, OR RoleC. If you don’t assign role read permissions to a record, then no user has read permissions on that record (inheritance aside, of course).
Compartment security
For the vast majority of systems, OR logic is fine. There are some instances, however, where you want to use AND logic. In other words, a user must have all of the TopSecret, OperationBuyANoSQLDatabase and UKManagement roles in order to read a particular document.
This capability is variously referred to as compartment security (MarkLogic Server) or cell level security (Apache Accumulo).
In government systems, you may have several compartments. Examples include classification, nationality, operation, and organizational unit. Each compartment has several roles. Classification, for example, may have unclassified, confidential, secret and top secret roles linked to this compartment.
A record is compartmentalized if it requires one or more roles that are members of a compartment to have a permission on the record. A record may have TopSecret:Read assigned to its permissions. Another record may have only British:Read assigned. A third record, though, may require both TopSecret:Read and British:Read.
Compartment security is different from normal RBAC permissions in that you must have both TopSecret and British roles to receive the read permission (AND logic). Normal RBAC requires only one of these roles (OR logic).
Although compartment security may sound like a very useful feature, and it’s probably vital for military systems, many systems are implemented without requiring this feature.
Attribute-based access control (ABAC)
A useful pattern for security is to apply permissions based on data within a record rather than separately assign permissions to the record. This could be based on either metadata, individual column (Bigtable clones), or element (Aggregate NoSQL databases) values.
A good example is a customer name being mentioned within a document. You may want to restrict access to all the documents mentioning that customer to only those people with access to this customer’s information. You can restrict access to these documents by processing the data within the document, and applying the relevant security permissions based on the value of that data.
No NoSQL databases provide this capability right out of the box. That’s because permissions must be assigned to the record after the data is saved by the application but before it’s available for retrieval by other applications or users. So, this permission assignment must occur within the transaction boundary.
Also, very few NoSQL databases support ACID-compliant transactions (MarkLogic, FoundationDB, and Neo4j, do for example). You can find examples of ACID compliant NoSQL databases in Chapters 4 and 21, where I provide a broader discussion about ACID compliance.
If a database doesn’t support out-of-the-box assignment of permissions based on data within a document but does support ACID transactions and pre-commit triggers, then an easy workaround is possible.
It’s generally easy to write a trigger that checks for the presence of a value within a record and to modify permissions based on its value. As long as a database supports doing so during the commit process, and not after the commit, then you know your data is made secure by using a simple pre-commit trigger.
As an example, MarkLogic Server supports fully serializable ACID transactions and pre-commit triggers. Following is a simple XML document that I want to support for attribute-based access control:
<MeetingReport>
<SalesPerson>jbloggs</SalesPerson>
<Customer>ACME</Customer>
<Notes>Lorem Ipsum Dolar Sit Amet...</Notes>
</MeetingReport>
MarkLogic Server’s triggers use the W3C XQuery language. The following XQuery example is a simple trigger that, when installed in MarkLogic, assigns read and write permissions:
xquery version "1.0-ml";
import module namespace
trgr = 'http://marklogic.com/xdmp/triggers'
at '/MarkLogic/triggers.xqy';
declare variable $trgr:uri as xs:string external;
declare variable $trgr:trigger as node() external;
if (“ACME” = fn:doc($trgr:uri)/MeetingReport/Customer)
then
xdmp:document-set-permissions($trgr-uri,
(xdmp:permission(“seniorsales”,”update”),
xdmp:permission(“sales”,”read”)
)
)
else ()
Once the trigger is installed in the file setperms.xqy in a MarkLogic Server Modules Database, execute the following code in the web coding application for MarkLogic - Query Console to enable the trigger. On a default MarkLogic Server installation, you can find the Query Console at the URL: http://localhost:8000/qconsole.
Here is code showing how to install the trigger using Query Console:
xquery version "1.0-ml";
import module namespace
trgr='http://marklogic.com/xdmp/triggers'
at '/MarkLogic/triggers.xqy';
trgr:create-trigger("setperms",
"Set Sales Doc Permissions",
trgr:trigger-data-event(
trgr:collection-scope("meetingreports"),
trgr:document-content("modify"),
trgr:pre-commit()
), trgr:trigger-module(
xdmp:database("Modules"), "/triggers/",
"setperms.xqy"
), fn:true(),
xdmp:default-permissions(),
fn:false()
)
Identity and Access Management (IdAM)
Authorizing a user for access to information or database functionality is one thing, but before you can do that, you must be sure that the system “knows” that the user is who she says she is. This is where authentication comes in. Authentication can happen within a particular database, or it can be delegated to an external service — thus the term Identity and Access Management (IdAM).
When relational databases were introduced, there were only a few standards around authentication – that’s why most relational databases are still used with internal database usernames and passwords. Most NoSQL databases take this approach, with only a few supporting external authentication standards.
The most common modern standard is the Lightweight Directory Access Protocol (LDAP). Interestingly, most LDAP systems are built on top of relational databases that hold the systems’ information!
NoSQL databases are a modern invention. They appeared at a time when existing authentication and authorization mechanisms and standards exist, and so many have some way of integrating with them.
Where to start, though? Do you integrate your NoSQL database with just a single IdAM product, or do you try to write a lot of (potentially unused) security integrations, and risk doing them badly? It’s tempting to expect NoSQL databases to be ahead of the curve here — but let’s be realistic. No software developer can possibly support all the different security systems out there.
Instead, each NoSQL database has its own internal authentication scheme, and usually support for plugging in your own custom provider. NoSQL databases provide a plugin mechanism as a first step before using this mechanism to implement specific standards.
Although a lack of security system integrations is a weakness from the standpoint of a box-ticking exercise, providing a plugin mechanism actually allows these databases to be flexible enough to integrate with any security system you need.
Fortunately, LDAP is one of the first options that NoSQL vendors integrate. On the Java platform, this may be presented as support for the Java Authentication and Authorization Standard (JAAS). This is a pluggable architecture, and one of its commonly used plug-ins is LDAP directory server support.
When selecting a NoSQL database, don’t get hung up that some don’t support your exact authentication service. As long as the software can be adapted relatively quickly using the database’s security plugin mechanism, that will be fine. The product’s capabilities are more important, as long as they support security plug-ins.
This is where it’s useful to have the resources of a commercial company supporting your NoSQL database — writing these security integrations yourself may take your software engineers longer, and they might even introduce security bugs. Commercial companies have the resources and experience of providing these integrations to customers.
External authentication and Single Sign-On
A NoSQL database supporting a pluggable architecture, rather than a limited set of prebuilt plug-ins for authentication and authorization, can sometimes be beneficial.
This is especially true in the world of Single Sign-On (SSO). SSO allows you to enter a single name and password in order to access any service you use on a corporate network. It means your computer or application session is recognized without you having to type in yet another password. Think of it as “authentication for the password-memory-challenged.”
You’re probably already familiar with such systems. For example, did you ever log on to Gmail, then visit YouTube and wonder why you’re logged on there, too? It’s because both services use a single, independent logon service — your Google account. Well, that’s SSO at work.
SSO is an absolute joy on corporate networks. Most of us need access to many systems — in my case, dozens unfortunately — to do our daily jobs.
Explaining exactly how this works in detail is beyond the scope of this book, but typically when you first log on to a site, you receive a token. Rather than have your computer send your password to every single website (eek!), it passes this token. Alone, the token means nothing, so passing it along is not a security breach.
The token allows an application to ask the security system that created the token a question, usually something like this: “Is this token valid, and does this guy have access to use this service? If so, who is he and what roles does he have?” Basically, behind-the-scene services do the legwork, and not the user.
The most common SSO on corporate networks is one provided on Microsoft Windows machines and Microsoft Active Directory on the server-side that works automatically out of the box. Active Directory can issue Kerberos tokens to you when you log on at the start of your working day. After logging on, when you access any service that supports Kerberos SSO on the corporate network, you aren’t prompted again for a username and password.
The downside is that not all software services support every type of SSO software, and they certainly don’t do it automatically out of the box. If you’re planning on building a set of applications that a single user may need access to using a NoSQL database then consider using an SSO product (who knows, you might prevent someone’s meltdown).
Often, though, SSO token validation is handled by the application stack, not by the underlying database. If you’re assigning roles and permissions for records held in a NoSQL databases, you can reduce hassles during development by having the database use the same tokens, too.
Needing SSO support is especially true of use cases involving document (aggregate) NoSQL databases. These types of records (documents) generally are the types that have a variety of permissions. Most relational- or table-based (for example, Bigtable) systems give the same role based access to all rows in a table. Documents tend to be a lot more fluid, though, changing from instance to instance, and even between minor revisions.
Having support for SSO in the database, or at least allowing external authentication security plug-ins to be added, is a good idea for document databases.
Security accreditations
The best yardstick for assessing any product — from databases to delivery companies — is this: “Where have you done this before?” In some instances, this information is commercially or security sensitive. The next best yardstick is, “Has anyone done due diligence on your product?”
When it comes to security, especially for government systems, organizations are very unwilling to share exact technical knowledge. Even within the same government! In this scenario, an independent assessment is the next best thing to talking with someone who previously implemented the product.
If software vendors have significant footprints in government agencies, their products will eventually be used in systems that require independent verification for either
· A particular implementation — for example, information assurance (IA) testing for a federal high-security system
· A reference implementation of the product, its documentation, code reviews, and security testing
Government agencies have their own standards for accreditation, and a variety of testing labs available to do this. In the U.S., a common standard to look for is accreditation to Common Criteria (CC). Products are tested against specific levels, depending on what they’re used for. A good yardstick for the latest CC standard is EAL2 accreditation. This means that the software has been tested in accordance with accepted commercial best practices.
You can find a good introduction to Common Criteria assurance levels and their equivalents on the CESG website, the UK’s IA Technical Authority for Information Assurance, at www.cesg.gov.uk/servicecatalogue/Common-Criteria/Pages/Common-Criteria-Assurance-Levels.aspx.
Generally, enterprise systems do their own security testing before going live. These days it’s even commonplace for them to do so when handling material that has a relatively low-level classification, such as a database holding many confidential documents, even for civilian government departments.
If the release of information your system is holding could result in a great risk to reputation, financial stability, or life and limb, have your system independently accredited — no matter which database you’re using — before it goes live.
Durability
It’s tempting to assume that a database — that is, a system that’s designed to hold data — always does so in a manner that maintains the integrity of the data. The problem is, data isn’t either safe or unsafe; its durability is on a sliding scale.
Durability is absolutely vital to any mission-critical system. Specific requirements depend on a number of factors:
· Using a database that is ACID-compliant is necessary on mission-critical systems.
· Using an ACID-compliant database reduces development costs in the short-term and maintenance costs over the long-term.
· If many records need to be updated in a single batch (with only either All or Zero updates succeeding), then use a database that supports transactions across multiple updates. (These NoSQL databases are limited in number.)
Never use a database that reports a transaction is complete, when the data may not be safe or the transaction applied. Several databases’ default consistency setting will allow you to send data to the database with it being held just in RAM, without guaranteeing it hits disk. This means if the server’s motherboard fails in the next few seconds you run the risk of losing data.
Preparing for failure
The relational database management system revolution provided us with a very reliable system for storing information. In many ways, we take those management features for granted now.
For NoSQL databases, though, assume nothing! The vast majority of NoSQL databases have been around only since 2005 or later. The developers of these databases remain mostly concerned about building out data storage and query functionality, not about systems maintenance features.
Resilience is when commercial NoSQL vendors, or commercial companies offering an expanded enterprise version of an open-source NoSQL product, come into their own. These paid-for versions typically include more of the management niceties that system administrators are used to in large database systems. Weigh the cost of these enterprise editions against the ease of recovery from a backup, and don’t reject commercial software out of hand, because the cost of a long outage could be much greater than the cost of a software license.
When selecting a NoSQL database that needs to be resilient to individual hardware failures, watch for the following features.
High availability (HA)
HA refers to the ability for a service to stay online if part of a system fails. In a NoSQL database, this typically means the ability for a database cluster to stay online, continuing to service all user requests if a single (or limited number of) database servers within a cluster fail. Some users may have to repeat their actions, but the entire service doesn’t die.
Typically, HA requires either a shared storage system (like a NAS or a SAN) or stored replicas of the data. A Hadoop cluster, for example, stores all data locally but typically replicates data twice (resulting in three copies) so that, if the primary storage node fails, the data is still accessible. MarkLogic Server can operate using shared storage or local replicated storage. Some NoSQL databases that provide sharding don’t replicate their data, or they replicate it just for read-only purposes. Therefore, losing a single node means some data can’t be updated until the node is repaired.
Disaster recovery (DR)
DR is dramatically described as recovering from a nuke landing on your primary data center. More likely, though, an excavator driver just cut your data center’s Internet cable in half.
No matter the cause, having a hot standby data center with up-to-date copies of your data ready to go within minutes is a must if your system is mission-critical. Typically, the second cluster is an exact replica of your primary data center cluster.
I’ve seen people specify fewer servers for a DR cluster than for their primary cluster. However, doing so increases your chance of a double failure! After all, if your primary service goes down for 20 minutes, when the cluster goes back online you’ll probably have the normal daily usage plus a backlog of users ready to hit your DR cluster. So, specify equal or more hardware for a DR center — not less. The shorter the downtime (under a couple of minutes should be possible), the more likely you can use the exact configuration in your primary and DR sites.
Scaling up
NoSQL databases were designed with considerable scalability in mind. So, the vast majority of them implement clusters across many systems. Not all NoSQL databases are born equal, though, so you need to be aware of scalability issues beyond the basics.
In the following subsections, I promise to avoid really techie explanations (like the intricacies of particular cluster query processing algorithms) and discuss only issues about scalability that affect costs in time and money.
Query scalability
Some NoSQL databases are designed to focus more on query scalability than data scalability. By that, I mean they sacrifice the maximum amount of data that can be stored for quicker query processing. Graph databases are good examples.
A very complex graph query like “Find me the sub graphs of this graph that most closely match these subjects” requires comparing links between many stored data entities (or subjects in graph speak). Because the query needs data about the links between items, having this data stored across many nodes results in a lot of network traffic.
So, many graph databases store the entire graph on a single node. This makes queries fast but means that the only multiserver scalabilities you get are multiple read-only copies of the data to assist multiple querying systems.
Conversely, a document database like MongoDB or MarkLogic may hold documents on a variety of servers (or database nodes). Because a query returns a set of documents, and each document exists only on a single node (not including failover replicas, of course), it’s easy to pass a query to each of the 20 database nodes and correlate the results together afterward with minimum networking communication.
Each document is self-contained and evaluated against the query by only the database node it’s stored on. This is the same MapReduce distributed query pattern used by Hadoop MapReduce.
Storing your information at the right level means that the queries can be evaluated at speed. Storing information about a program that deals with its scheduling, genre, channel, series, and brand in a single document is easier to query than doing complex joins at query time.
This is the old “materialized views versus joins” argument from relational database theory reimagined in the NoSQL world.
In a document database, you can denormalize the individual documents around series, programs, channels, and genres into a single document per combination. So, you have a single document saying, for example, “Doctor Who Series 5, Episode 1 will be shown on BBC 1 at 2000 on the March 3, 2015,” rather than a complex relational web of records with links that must be evaluated at query time.
For an Internet catchup TV service, querying the denormalized document set is as simple as saying “Return me all documents that mention ‘Doctor Who’ and ‘Series 5’ where the current time is after the airing time.’” No mention of joins, or going off and looking across multiple record (in this case document) boundaries.
Denormalization does, correctly, imply duplication. This is simply a tradeoff between storage and update speed versus query speed. It’s the same tradeoff you’re used to when creating views in relational databases, and it should be understood in the same way — that is, as a way to increase query performance, not a limitation of the database software itself.
Cluster scalability
What do you do if your data grows beyond expectation? What if you release a new product on a particular day, and your orders go through the roof? How do you respond to this unforeseen situation rapidly enough without going over the top and wasting resources?
Some NoSQL databases have scale-out and scale-back support. This is particularly useful for software as a service (SaaS) solutions on a public cloud like Amazon or Microsoft Azure.
Scale out is the ability to start up a new database instance and join it to a cluster automatically when a certain system metric is reached. An example might be CPU usage on query nodes going and staying above 80 percent for ten minutes.
Cluster horizontal scaling support should include automated features (rather than just alerts for system administrators) and integration to cloud management software like AWS. The database should also be capable of scaling on a live cluster without any system downtime.
Perhaps the hardest part of horizontal scaling is rebalancing data once the new node is started. Starting a new node doesn’t get you very far with a query processing issue unless you share the data across all your nodes equally. If you don’t rebalance data then the server with little or no data will be lightning fast and others will be slow. Support for auto-rebalancing data transparently while the system is in use solves this problem rapidly, and without administrator intervention.
Auto-rebalancing can be reliably implemented only on NoSQL databases with ACID compliance. If you implement it on a non-ACID-compliant database, you run the risk that your queries will detect duplicate records, or miss records entirely, while rebalancing is occurring.
So, now you’ve solved the high-usage issue and are running twice the amount of hardware as you were before. Your sale ends, along with the hype, and system usage reduces — but you’re still paying for all that hardware!
Support for automatic scale-back helps. It can, for example, reduce the number of nodes when 20 percent of the CPU is being used across nodes in the cluster. This implies rebalancing support (to move data from nodes about to be shut down to those that will remain online). Having this feature greatly reduces costs on the public cloud.
Scale-back is a complex feature to implement and is still very rare. At the time of this writing, only MarkLogic Server can perform automatic scale-back on Amazon. MarkLogic Server also has an API that you can use to plug in scale-out/scale-back functionality with other public and private cloud management software.
Acceptance testing
News websites are frequently mentioning stories about large systems where an “update” caused major chaos. These happen in government and banking systems. When they do happen, they happen very publicly and to a great cost to the reputation of the organization at fault.
These issues can often be avoided through a significant investment in testing, particularly User Acceptance Testing (UAT), before going live. Even something that you may think is a minor update can irritate and alienate customers.
Don’t be tempted to reduce your testing in order to meet deadlines. If anything, increase your testing. Missing development deadlines means the job was likely more complex than you originally thought. This means you should test even more, not less.
The Y2K bug deadline was one that absolutely could not be moved. The vast majority of systems, though, even important national systems, are given artificial timelines of when people want systems to be working, not when IT professionals are sure the systems will work.
Trust your IT professionals or the consultants you have brought in to work on a project. Delays happen for many reasons (often because IT professionals are trying to make things work better).
When it comes to testing, the old adage is true — you only get one chance to make a first impression.
Monitoring
Your system is built, and it’s gone live. Now, we can all retire, right? Wrong! It may seem counterintuitive, but just like an old, decrepit body, software breaks down over time.
Perhaps an upgrade happens that makes a previously working subsystem unreliable. Maybe you fix a bug only to find an issue with performance after the patch goes live. Or even some system runs out of support and needs replacing entirely.
It all means extra work. You can spot problems in one of two ways:
· You get an angry phone call from a user or customer because something critical to them failed.
· Your own system monitoring software spots a potential issue before it becomes a critical one.
Monitoring comes in two broad forms:
· Systems monitoring watches components such as databases, storage, and network connectivity. This is the first form that you can enable without any database- or application-specific work.
· Application monitoring spots potential performance issues before they bring a system down.
As an example, a “simple bug fix” could test fine, but when put live, it may cause performance issues.
The only way to spot what is causing a performance issue in part of the database is to be monitoring the application. Perhaps the bug fix changed how a particular query was performed. Maybe what was one application query resulting in one database query is now generating five database queries for the same action.
This issue results in lower performance, but you can’t link the performance issue with the bug fix if you don’t know precisely where the faulty code is in the application. Diagnosing the issue will be impossible without some form of application monitoring.
Many NoSQL databases are still playing catchup when it comes to advanced application monitoring. Open-source NoSQL databases often have no features for this issue. To get these features, you have to buy expensive support from the commercial vendor that develops the software.
Ideally, you want at least a way to determine
· What queries or internal processes are taking the longest to complete
· What application or user asked for these queries or processes to be executed
Also ideally, a monitoring dashboard that allows you to tunnel down into particular application queries on particular database nodes is helpful. In this way, you may be able to list the queries in-flight on a single node of a highly distributed database. Viewing the process details (for example, the full query or trigger module being executed) at that point can greatly reduce live system debugging time.
Quick debugging results in your application team spotting potential issues and rolling back bad updates, for example, before your users give you a ring. In extreme cases, effective monitoring will keep a system that was performing well from grinding to a halt during peak periods.
Once you find an issue, to prevent a repeat situation, it’s important to advise your testing team to incorporate a test for that issue in the next bug-fix testing cycle.
Over time, detailed monitoring pays for itself many times over, although putting an exact number on money saved is a hard thing to do, and you certainly can’t really quantify this number upfront.
I’ve worked for a variety of software vendors and have seen many customers who didn’t pay for monitoring or support until they had a major, and sometimes public, failure. However, from that point on, they all made sure they did so.