Saturday, October 31, 2009

Why measuring exact size in memory could be a futile exercise?

Coherence being an In-memory data grid, it is important to provision the hardware right. Many factors play different roles - Total RAM on the box, avoiding paging, providing linear scalability without stepping on Out of Memory errors and so on. Now the problem is how to measure how many additional nodes (Cache Servers) one would need and in result how many new boxes when we have to scale out? Also, if Indexes are created how to measure the additional space required and how to do it right?
There are two ways to measure things - First, like measuring Gold and Second like measuring Onions. Onions are always approximate. Coherence data sizing is like measuring Onions and its not like you can not measure it like Gold - accurate and precise but in most cases it is not needed. Why? Because the dynamic/auto provisioning nature of the cluster and cheaper memory by the day. It is much easier to approximate the size and add new nodes or boxes in the cluster than to be a Mathematician and calculate the size in bytes. If you are an Operations person you need quick and almost correct formulas. If you are a Coherence enthusiast you might already know it - On a 32-bit machine 1.2GB of RAM is needed to run a JVM with 1GB heap. Off of 1GB heap having only 375MB of space for primary data storage in distributed data scheme with one backup count. Keeping 30% of scratch space left per JVM to keep the GC profile in check and so on. What about Indexes? That's easy too.. Account for 30% overhead for each Index added. So watch for how many Indexes are added as it is easy to cross the data size itself. Are these numbers accurate? Nope. They are not meant to be either. Are they simple? Yes and close to correct. After all when it comes to provisioning a system like Coherence its okay to just measure it like Onions.

A love letter from Nigeria, again!

Just received this letter from that Dead Uncle who I never knew that had migrated to Nigeria I did not know about. A few uncles like these and I will be the richest person on this Nigerian Earth!

I am Mr David Lewis. a Foreign Transfer Manager working with ZENITH BANK of Nigeria.I just started working with ZENITH. and I came across your unpaid fund File stamped hold due to you have not come for the claim.

The most annoying thing is that they won't tell you the truth that on no account will they ever release the fund to you,instead they allow you spend money unnecessarily, or allow the government confiscate your fund, I do not intend to work here all the days of my life, I can release this fund to you if you can certify me of my security.

I needed to do this because you need to know the statues of your Funds and cause for the delay,Please this is like a Mafia setting in Nigeria, you may not understand it because you are not a Nigerian.. The only thing needed to release this fund is the Change Of Ownership which will be tendered to this bank Zenith to prove to them that you have come for the claim of your fund left in your name and the INTERNAL REVENUE S ERVICE(IRS)for clearance of the transferred amount in your account or in any means you will like to receive your fund.

Once the Change Of Ownership is obtained from the Federal High Court here in Nigeria funds will immediately reflect in your bank within 10 Minutes,the document is all that is needed to complete this transaction.

I have the Deposit Certificate for your own proof and the Next Of Kin application form to fill out.

Note that the actual funds is valued at $25 MILLION USD and the president made a compensation fund release for all unpaid beneficiary valued at $15 million usd.
Listed below are the mafia's and banks behind the non release of your funds that i managed to sneak out for your kind persual.

1) Prof. Charles soludo
2) Chief Joseph Sanusi
3) Dr. R. Rasheed
4) Barrister Awele Ugorji
5) Mr Roland Ngwa
6) Barrister Ucheuzo Williams
6) Mr. Ernest Chukwudi Obi
7) Dr. Patrick Aziza
Deputy Governor - Policy / Board Member
8) Mr. Tunde Lemo
Deputy Governor - Financial Sector Surveillance / Board Member
9) Mrs. W. D. A. Mshelia
Deputy Governor - Corporate Services / B oard Members
10) Mrs. Okonjo Iweala

Do get in touch with me immediately with my direct number to conclude this final transaction immediately,and also send to me your convenient tel/fax numbers for easy communications

Regards,
Mr . David Lewis.

This much snow in Denver in October

Friday, October 30, 2009

Level(3) not accessible

This sign in Denver International Airport's Elevator always reminds me of Level(3) a network company.

Tuesday, October 27, 2009

BJP must have done something real bad to be rejected like this

So it looks like when it comes to elections, the story BJP is hearing is the same again and again. There must be something new brewing in electorate's minds these days. Aren't these the same guys who got carried away with religious sentiments just a few years back? So what has changed since? We still go to Churches, Gurudwaras, Temple and Mosques. Aren't we Hindus or Muslims any more? So why are we rejecting BJP and beating it like this? There is a reason and the reason is BJP can't seem to see the new realities of India and if they can see it they can't seem to find a leadership who can promise and deliver new frontiers for the nation. Otherwise Mumbai where one of the worst security lapse occurred and caught the state and federal (Congress) governments totally off-guard still would not have rejected the nationalist BJP/Shiv Sena combined. Congress with its new astute and young leadership has seems stuck a chord with this new India. They are struggling to solve problems but still seems sincere to resolve them. Its the truth in their tone which now is making it a "party with a difference". BJP has failed and it has failed in numerous ways. LK Advani has become Kapil Dev of politics. Sitting at the leadership role for as long as possible, not delivering and not allowing new blood to take over either. Kapil was sensible as he knew how much to extend and when to throw in the towel. Advani seems struggling with it. RSS who knows how to disassociate themselves from BJP are only pretending to be a separate entity. They are not. If RSS had an answer BJP would not have been in this quagmire. The disciplined party workers of BJP were never so disciplined after all. In fighting has taken over their regional units and this list goes on and on. At the end by now BJP should see they have been outright rejected in a shape they stand today. When it comes to Congress the truth is we only consider to vote them out when we get disenchanted with its leaders not because we love the other option. And if they continue to do what they are doing I see no reason why even in future elections there will be any new challenges for them.

Sunday, October 25, 2009

Coherence - Back to Basics

One question that keeps cropping up is when to configure an application as a cluster member and when over *Extend? The answer has always been pretty simple - If application stability cannot be guaranteed then it cannot be considered as a cluster member. There is more to it, btw. Following questions you must ask before opting for any configuration strategy:

  • If an application is written in either C++ or .NET then there is no other choice but to configure it as an *Extend client.
  • If the interface to Coherence is Java (including JNI) then choices are a little deeper.
Lets talk about it in more details (The content is not a dictation to its readers but an assistance to put them on a right track).

When to configure as a cluster member?
  1. Applications deployed inside a container (Like an Application server) are typically configured as storage disabled cluster members. The reason is application servers themselves being "server-side" components are considered fairly stable.
  2. Applications demanding "extreme" performance are configured as cluster members.
  3. *Extend introduces an additional network hop and if this additional couple of milliseconds are not acceptable then configure it as a cluster member.
  4. If proxy-reconnect is an issue.
When to *Extend?
I am a big proponent of *Extend configuration because it provides us a framework that we are already so used to. With new enhancements in Coherence v3.5 and later in Proxy services and serialization mechanism, overhead on proxy has reduced considerably and this opens up a some nice architectural options.
  1. If the application is a desktop application where reliability cannot be guaranteed.
  2. If network over which the application is accessing Coherence resources is slow or unreliable.
  3. If application is written in .NET or C++
Besides these there are some advanced considerations:
  1. If application is already very TCP/IP centric. New services can be developed on top of Proxy as is demonstrated here, here and here.
  2. If an application arbiter is needed or something like a Gatekeeper.
  3. With *Extend proxy layer can be scaled independent of other storage nodes. *Extend configuration allows three layers of scalability - First application clients, second the proxy layer itself and the third the core storage members or non-proxy cluster members. Storage member layer is about data scalability and proxy layer is about request scalability.
  4. In line with the popular Adapter pattern typically found in BPEL designs. Application specific adapters can be plugged into Coherence using Proxy's TCP/IP service making application clients even more agnostic of Coherence infrastructure beyond the Map implementation.
  5. If a new component is added that introduces new features that are not available out of the box from Coherence, it is much safer to deploy it on proxy nodes. Always remember we do not have any access to either the underline protocol (TCMP) or the core coherence component layer. Any feature that simulate either of the two must be performed by proxy.
  6. Anyone still remembers SOA? Even though SOA does not dictate the transport layer but it is much cleaner to have well defined services running and accessing coherence resources over *Extend. If services are deployed inside a container then revisit (1), (2) and (3).
Enjoy!

Thursday, October 22, 2009

A Biker's spectrum

Sunday, October 18, 2009

आज एक और शेर

ना पूछो मेरा आसमां पे क्यूँ घर बना न था?
सितारे टूट के ना गिर पड़े आँगन में, ये डर था।
कि जाते फ़िर कहाँ वो रौशनी से भागने वाले?
ज़मीं के इक किसी कोने पे बन शायर के बैठा था।

Tuesday, October 13, 2009

Monday, October 12, 2009

शेर

चले आओ यहाँ कि आज भी तुम याद आते हो,
जुबाँ चाहे रहे चुप, आँख में तुम दर्द पाओगे।
अंधेरे से रहें अब दिन भी यादों में तुम्हारे ही,
दियों कि बत्तियों को आज भी तुम गर्म पाओगे।
न आना था तो आख़िर कह दिया होता न लौटोगे,
हवाओं में तुम अपनी खुशबुएँ क्यों छोड़ जाओगे?
अगर जो राह में तेरी कभी दिखें हम कहीं बैठे,
कमसकम याद तो अपनी मेरे संग छोड़ जाओगे?

Saturday, October 10, 2009

Season's first snow

Friday, October 09, 2009

Why I don't watch football and what the heck it has anything to do with Obama's Nobel peace prize?

I am interested in things that I feel I could do with practice and perseverance. I may not succeed in Cricket professionally or Poker or Tennis or any other sports but at least I feel after 10 or 20 years of regular dedicated practice I can at least stand confidently. futball is the only sport that I am certain even if I spend the rest of my life practising I can never become a muscular giant who can physically push and willing to hit and jump on others. I can never become that and is the only reason that dampens my interest in this game. Futball has shut its door on me. Now prizes are something similar. If I am being put in a right direction by my Mentors and I study hard and experiment and read every book this world has ever written and may be just may be a Billion in a one shot that I could get a Nobel prize in Chemistry but for Peace? No way. Irrespective of a fact that I spend rest of my life in war zones affecting people not to take up arms and kill others, or risk my own to save one or spread the power of spirituality or anything that I could do to make this world a better place to live, I cannot get a Nobel peace prize. Unlike the past, this prize is now reserved for Presidents and those who have a chance to become one. Obama had a chance to get it. Not because he made this world any more peaceful but he became a President who ousted a school of thought that initiated one of the bloodiest wars of recent times. War is still raging in Iraq and Afghanistan, Israel and Palestinians are still logging horns. Iran has become stronger. War has now officially escalated to interior Pakistan and the world is still no safer than it was eight years ago. It seems Peace has changed its definition. Someone once told that the inner strength of your faith can be channelized to achieve peace. By not raising a finger to those who are hitting you on your head you can achieve the peace. By looking straight into the eyes with love of those who have drawn guns to kill, you will achieve the peace. And that Man Gandhi never got the Nobel peace prize. Either he was above its stature or the meaning of peace was different then. Congratulations to Obama for that five person committee to see you a new age Gandhi. But like Futball, Nobel peace prize too is out of my reach not because I cannot learn the rules but because it is now judged on an unacceptable level of scale.

Monday, October 05, 2009

Integrating LDAP with Coherence

Please read Securing a Coherence Cache as a precursor to this blog. The link talks about how to externalize the configuration of cache security provider that can be configured in coherence cache configuration. The security provider class that implements SecurityProvider interface has to implement a simple method checkAccess (Subject). Subject needs to be passed by the "cache client" and has to be authenticated/authorized in the security provider. Since I started Oracle coherence consulting it has come up time and again to integrate Coherence with an LDAP provider so that application/user accounts can be controlled on what access they can have to which cache with user accounts being managed in a Directory server. So lets think about it again and see if we can streamline this solution and something generic can be built.

Problem Statement: To setup Coherence cache in such a way that discrete cache access can be set up driven by Enterprise directory.

Lets, think about architectural decision points:
  • LDAP Server is an external data source. Use CacheLoader.
  • Avoid accessing LDAP for each Cache request. Cache user authentications (An admin cache).
  • Protect the admin cache that manages the user-auth to not allow any access. Protect the protector.
  • Protect the proxy from *Extend access. Cluster member has inherent trust. Use authorized-hosts for cluster members.
  • Use JAAS
  • Manage authorization locally but authentication centrally.
How about a quick activity diagram?

Authentication
User authentication has to happen only once (typically once in 24 hrs). This is not such a bad cost that can be incurred once in a day as user accounts do not change and if changes it changes very infrequently. Authentication information can be cached once an account is verified against a Directory server. We also need to make sure that the cache that manages account authentication information is inaccessible to any unauthorized user or applications. Now how to do it?
  • Create an Admin cache.
  • Plug a custom CacheLoader that interacts with an external Directory server.
  • Build the cache key to include cache name and user credentials, the cache value be Boolean.TRUE or Boolean.FALSE.
  • Using the <entitled> XmlElement configure a DisAllowSecurityProvider as it's security-provider.
  • DisAllowSecurityProvider denies all requests to this cache other than made by a very "few chosen". Scroll down for its implementation.
So how would such an Admin cache configuration look like?
<distributed-scheme>
<scheme-name>admin-distributed-scheme</scheme-name>
<service-name>AdminDistributedService</service-name>
<backing-map-scheme>
<read-write-backing-map-scheme>
<internal-cache-scheme>
<local-scheme>
<high-units>200KB</high-units>
<unit-calculator>BINARY</unit-calculator>
<expiry-delay>86400000</expiry-delay>
</local-scheme>
</internal-cache-scheme>
<cachestore-scheme>
<class-scheme>
<class-name>LDAPCacheLoader</class-name>
<init-params>
<init-param>
<param-type>string</param-type>
<param-value>ldap.server.com</param-value>
</init-param>
<init-param>
<param-type>int</param-type>
<param-value>389</param-value>
</init-param>
</init-params>
</class-scheme>
</cachestore-scheme>
</read-write-backing-map-scheme>
</backing-map-scheme>
<autostart>true</autostart>
<entitled>
<security-provider>DisAllowSecurityProvider</security-provider>
</entitled></distributed-scheme>

So Admin cache is size limited and expires every 24 hrs of the first authentication and does not allow any access. How could that be? LDAPCacheLoader's load () method can be very simple. The cache key passed could be a "username$password" that can be parsed and authenticated against a Directory server using LDAP APIs. If authentication succeeds return a Boolean.TRUE otherwise false. So how is this load () invoked and from where?

Default Security Provider
Caching user authentication is a luxury that can be centralized. Applications deal with two aspects of cache security - Authentication and Authorization and these can be split in two classes. Combined with cached-authentication lets write an abstract Default security provider. Any security provider that extends it gets the "performance" for free.

public abstract class DefaultSecurityProvider implements SecurityProvider {
private NamedCache nCache = CacheFactory.getCache ("USER_CRED");
public boolean checkAccess (Subject subject) {
String user_pw = ((Principal) principals.iterator().next()).getName();
String userName = getUserName (user_pw);
Boolean isPresent = (Boolean) nCache.get (user_pw + "$$" + cacheName);
boolean isAuth = false;
if (isPresent.booleanValue()) {
isAuth = authorize (userName);
}
return isAuth;
}
public abstract boolean authorize(String userName);
}
Authorization
Like authentication authorization should be relatively inexpensive too. There could be two approaches. One, using Directory server to store authorization attributes too. Even though it is perfectly doable but authorization is owned by Coherence or application and should be "owned" by it. Central governance should only be applied to authentication and not to authorization. So lets find an inexpensive way... how about Java Permission object driven by a policy file? Lets write a Policy file:
grant Principal CustomPrincipal "Principal1" {
permission java.util.PropertyPermission "Cache1", "read, write";
.. More can be added here...
};
grant Principal CustomPrincipal "Principal2" {
permission java.util.PropertyPermission "Cache2", "read, write";
... More can be added here...
};

What about the custom security provider?

public class MyCustomSP extends DefaultSecurityProvider {

public MyCustomSP (String cacheName) {
super(cacheName);
this.cacheName = cacheName;
}

public boolean authorize(final String user) {
if (user == null) {
System.out.println("Auth not in USER_CRED cache");
return false;
}
try {
PropertyPermission fp =
new PropertyPermission(cacheName, "write");
new SecurityManager().checkPermission(fp);
return true;
} catch (SecurityException exp) {
...
}
return false;
}
}
Now in this implementation if a User Principal has "write" permission then it gets the access. But, out of NamedCache behaviors if each method can be classified into two - Either read or write then the method that was invoked can also be passed along with it's classification to checkAccess () method. Instead of hard-coded "write" for every access, NamedCache's each method can have a fine grained user authorization. Of course you reserve the right to create your own Permission object and a set of Actions and use that.

I am not done yet!
In the activity diagram there is a logical concept of Gatekeeper. Who is it? And how does it do it? This gatekeeper is a combination of a custom NamedCache (EntitledNamedCache) and a SecurityProvider called DisAllowSecurityProvider. EntitledNamedCache is auto-magically configured for caches that has &entitled> Element defined (Read Securing a Coherence Cache for more information). While, DisAllowSecurityProvider is configured on the Admin Cache (USER_CRED) that stores the authentication info.

What does DisAllowSecurityProvider do?
public class DisAllowSecurityProvider implements SecurityProvider {
public DisAllowSecurityProvider() {
}

public DisAllowSecurityProvider(String cacheName) {
}

public boolean checkAccess(Subject subject) {
StackTraceElement[] elements = new Throwable().getStackTrace();
StackTraceElement e3 = (StackTraceElement) elements[3];
StackTraceElement e0 = (StackTraceElement) elements[0];

try {
if (SecurityProvider.class.isAssignableFrom(Class.forName(e0.getClassName())) ||
SecurityProvider.class.isAssignableFrom(Class.forName(e3.getClassName()))) {
return true;
} else {
return false;
}
} catch (ClassNotFoundException f) {
Base.log (f);
return false;
}
}
}
So here you go, you get a decently flexible Coherence Cache security implementation. Enjoy!

**One of my colleagues Steve Brockman asked if it was possible to extend the security to other cluster nodes too besides the proxy nodes. The solution is a little different but easy to make. Following are the steps how to do it:
  1. Copy coherence-cache-config.xml to say alt-cache-config.xml
  2. Open alt-cache-config.xml in an editor and remove all the <entitled> section from the configuration.
  3. Edit ExtendedCacheFactory and look for FILE_CFG_CACHE in the file. The next line is where the class sets the cache configuration name. Hardcode the param-value to alt-cache-config.xml (Or, be more creative but set it to alt-cache-config.xml).
  4. Deploy the alt-cache-config.xml on all the cluster nodes.
  5. Set -Dtangosol.coherence.override=proxy-override.xml on all cluster nodes.

Saturday, October 03, 2009

Bollywood still has in it

Movies have become my pastime. Not a junkie first day guy but thats how I refresh my mind. After a series of disappointments I had stopped watching too many Hindi (Bollywood) movies. Once in a while I watched one that was different but not something that touched me for long, but getting three in a row was something unheard of. Last two weekends it happened and I am impressed. First watched Baabar and this was one movie that gave me dark dreams. With relatively heavy violence that blended well with the plot gave me dreams of me shooting others with blood in my hands. I was impressed. Second I watched - Kaminey. Shahid Kapoor in a double role playing low level operator of Mumbai underworld turned out to be its realistic portrayal. Good acting covered for a few patchiness and songs were not bad either. I always had a soft corner for dark movies. Having watched pretty much all of DeNiro and Al Pacino's also loved movies like Satya, Shool and Sehar. So may be two in a row was not that surprising. And then the hat-trick came about with Fashion - Another Bollywood creation. Fashion is based on life of Mumbai's modeling industry. From the beginning I held my breath that the plot was about to falter. No, it did not. The movie had no gun shots and none of those things but I felt I was watching a Hollywood creation. Three in a row impressive films has certainly shaken my perception of Hindi Cinema. Good going. I am back!