book

CockroachDB: The Definitive Guide

by Guy Harrison, Jesse Seldess, Ben Darnell

April 2022

Intermediate to advanced

485 pages

12h 4m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Why Cockroach?Building CockroachDBNext StepsWhy We Wrote This BookWho This Book Is ForHow This Book Is OrganizedConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
I. Introduction to CockroachDB
1. Introduction to CockroachDB
A Brief History of DatabasesPre-Relational DatabasesThe Relational ModelImplementing the Relational ModelTransactionsThe SQL LanguageThe RDBMS HegemonyEnter the InternetThe NoSQL MovementThe Emergence of Distributed SQLThe Advent of CockroachDBCockroachDB Design GoalsCockroachDB ReleasesCockroachDB in ActionCockroachDB at DevSistersCockroachDB at DoorDashCockroachDB at BoseSummary
2. CockroachDB Architecture
The CockroachDB Cluster ArchitectureRanges and ReplicasThe CockroachDB Software StackThe CockroachDB SQL LayerFrom SQL to Key-ValuesTables as Represented in the KV StoreColumn FamiliesIndexes in the KV StoreInverted IndexesThe STORING ClauseTable Definitions and Schema ChangesThe CockroachDB Transaction LayerMVCC PrinciplesTransaction WorkflowWrite IntentsParallel CommitsTransaction CleanupOverview of Transaction FlowRead/Write ConflictsClock Synchronization and Clock SkewThe CockroachDB Distribution LayerMeta RangesGossipLeaseholdersRange SplitsMultiregion DistributionThe CockroachDB Replication LayerRaftRaft and LeaseholdersClosed Timestamps and Follower ReadsThe CockroachDB Storage LayerLog-Structured Merge TreesSSTables and Bloom FiltersDeletes and UpdatesMultiVersion Concurrency ControlThe Block CacheSummary
3. Getting Started
InstallationInstalling CockroachDB SoftwareCreating a CockroachDB Serverless InstanceStarting a Local Single-Node ServerStarting Up CockroachDB in a Docker ContainerStarting Up a Secure ServerShutting Down the ServerRemote ConnectionCreating a Kubernetes ClusterUsing a GUI ClientExploring CockroachDBAdding Some DataDatabases and TablesIssuing SQLThe DB ConsoleWorking with Programming LanguagesConnecting to CockroachDB from Node.jsConnecting to CockroachDB from JavaConnecting to CockroachDB from PythonConnecting to CockroachDB from GoSummary
4. CockroachDB SQL
SQL Language CompatibilityQuerying Data with SELECTThe SELECT ListThe FROM ClauseJOINSAnti-JoinsCross JoinsSet OperationsGroup OperationsSubqueriesCorrelated SubqueryLateral SubqueryThe WHERE ClauseCommon Table ExpressionsORDER BYWindow FunctionsOther SELECT ClausesCockroachDB ArraysWorking with JSONSummary of SELECTCreating Tables and IndexesColumn DefinitionsComputed ColumnsData TypesPrimary KeysConstraintsIndexesCREATE TABLE AS SELECTAltering TablesDropping TablesViewsInserting DataUPDATEUPSERTDELETETRUNCATEIMPORT/IMPORT INTOTransactional StatementsBEGIN TransactionSAVEPOINTCOMMITROLLBACKSELECT FOR UPDATEAS OF SYSTEM TIMEOther Data Definition Language TargetsAdministrative CommandsThe Information SchemaSummary
II. Developing Applications with CockroachDB
5. CockroachDB Schema Design
Logical Data ModelingNormalizationDon’t Go Too FarPrimary Key ChoicesSpecial-Purpose DesignsPhysical DesignEntities to TablesAttributes to ColumnsPrimary Key DesignForeign Key ConstraintsDenormalizationReplicating Columns to Avoid JoinsSummary TablesVertical PartitioningHorizontal PartitioningRepeating GroupsJSON Document ModelsJSON Document AntipatternsIndexing JSON AttributesUsing JSON or Arrays to Avoid JoinsIndexesIndex SelectivityIndex Break-Even PointIndex OverheadComposite IndexesCovering IndexesComposite and Covering Index PerformanceGuidelines for Composite IndexesIndexes and Null ValuesInverted IndexesPartial IndexesSort-Optimizing IndexesExpression IndexesSpatial IndexesHash-Sharded IndexesMeasuring Index EffectivenessSummary
6. Application Design and Implementation
CockroachDB ProgrammingPerforming CRUD OperationsConnection PoolsPrepared and Parameterized StatementsBatch InsertsPagination of ResultsProjectionsClient-Side CachingManaging TransactionsTransaction Retry ErrorsImplementing Transaction RetriesAutomatic Transaction RetriesAvoiding Transaction Retry Errors with FOR UPDATEReducing Contention by Eliminating Hot RowsReducing Transaction Elapsed TimeReordering StatementsTime Travel QueriesAmbiguous Transactions ErrorsDeadlocksTransaction PrioritiesWorking with ORM FrameworksSummary
7. Application Migration and Integration
Loading DataFile LocationsImporting FilesImporting from Cloud StorageImport PerformanceMigrating from Another DatabaseExtracting and Converting DDLGeneral Considerations When Converting DDLExporting DataLoading Data Into CockroachDBDirectly Importing PostgreSQL or MySQL DumpsSynchronizing and Switching OverUpdating Application CodeExporting CockroachDB DataChange Data CaptureCore Change Data CaptureUsing the Changefeed ProgrammaticallyEnterprise Change Data CaptureChange Data Capture to KafkaChange Data Capture to SnowflakeSummary

8. SQL Tuning
Finding Slow SQLExplaining and Tracing SQLEXPLAIN ANALYZEEXPLAIN OptionsEXPLAIN DEBUGChanging SQL ExecutionOptimizing Table LookupsOptimizing JoinsJoin MethodsOptimizing Sorting and AggregationOptimizing DMLOptimizing the OptimizerOptimizer StatisticsViewing StatisticsAutomatic StatisticsManually Collecting StatisticsSummary
III. Deploying and Administering CockroachDB
9. Planning a Deployment
Know Your RequirementsComparison of Deployment OptionsServerless DeploymentsSingle-Region Dedicated DeploymentsCommon Planning Tasks—Dedicated DeploymentsBenchmarking and Capacity PlanningCockroachDB Cloud DeploymentsSelf-Hosted on a Cloud PlatformSelf-Hosted “Bare-Metal” On-PremiseOther Self-Hosted ConsiderationsSelf-Hosted KubernetesConfiguring for Self-Hosted High AvailabilityDisk FailureNode FailuresNetwork FailureZone and Region TopologiesSummary
10. Single-Region Deployment
Deploying On-Premise or On-CloudFirewall ConfigurationOperating System ConfigurationClock Synchronization On-PremiseClock Synchronization on Cloud PlatformsCreating CertificatesConfiguring the NodesCreating a Ballast FileInitializing the ClusterCreating the First UserInstalling a Load Balancer (On-Premise)Cloud Load BalancersConfiguring Regions and ZonesDeploying on KubernetesInitializing the OperatorInitializing the ClusterCreating a Client PodLoad BalancingOther Kubernetes TasksSummary
11. Multiregion Deployment
Multiregion ConceptsRegions and ZonesSurvival GoalsLocality RulesPlanning Your Mutliregion DeploymentDeploying in MultiregionConverting to a Multiregion DatabaseConfiguring Regional by RowSetting Regional Survival GoalPlacement Restricted DatabasesSummary
12. Backup and Disaster Recovery
BackupsThe BACKUP CommandBackup DestinationsFull BackupTable- and Database-Level BackupsIncremental BackupsAS OF SYSTEM TIME BackupWITH REVISION HISTORYSHOW BACKUPManaging Backup JobsScheduling BackupsLocality-Aware BackupsRestoring DataExporting DataDisaster Recovery Best PracticesBackup Scheduling and ConfigurationRecovering from Human ErrorsSummary
13. Security
Firewall ConfigurationIP Allowlist with CockroachDB DedicatedVPC Peering and PrivateLink with CockroachDB DedicatedNative Linux FirewallConfiguring a Firewall in GCPConfiguring a Firewall in AWSConfiguring Ports for Microsoft AzureEncryption and Server CertificatesEncryption at RestAuthentication MechanismsStandard AuthenticationAdvanced AuthenticationAuthorizationManaging UsersManaging PrivilegesFine-Grained Access Control with ViewsLogging and AuditingSecurity Best PracticesSummary
14. Administration and Troubleshooting
MonitoringCockroachDB Dedicated AlertsCockroachDB Serverless AlertsAvailability MonitoringThe Cluster APIMonitoring and Alerting with PrometheusMonitoring and Alerting with DatadogLog ConfigurationLog ChannelsLog FormatFilter LevelsLog DestinationsLogging to FluentdRedactionLogs in Cloud DeploymentsCluster ManagementUpgrading the Cluster VersionAdding Nodes to a ClusterDecommissioning NodesTroubleshootingClock Synchronization ErrorsNode LivenessNetworking IssuesLoss of Client ConnectivityRunning Out of Disk SpaceWorking with CockroachDB Support ResourcesSummary
15. Cluster Optimization
Tuning Versus FirefightingWorkload OptimizationDetecting Problem WorkloadsReview of Workload Optimization StrategiesAd Hoc or Analytic QueriesCluster BalanceCauses of ImbalanceHot RangesLoad BalancingChanges in Cluster TopologyAdmission ControlNetworkMemory OptimizationKey-Value Cachemax-sql-memoryHost MemoryDisk I/OScaling OutSummary
Index
About the Authors

Content preview from CockroachDB: The Definitive Guide

Chapter 13. Security

In the Information Age, data is one of the world’s most valuable commodities. It can confer competitive advantage through enhanced operational intelligence, and it is often subject to the most stringent privacy regulations. Databases are frequently the target of data theft, ransomware attacks, and data tampering.

CockroachDB supports industrial-strength security features that protect your database from malicious attacks and also to some degree from human error and application bugs.

A well-secured CockroachDB deployment uses defense-in-depth to protect the database: multiple levels of security that protect against intrusion or unauthorized activities. These include:

Firewall rules that restrict cluster connections to known and trusted network addresses.
Transport Layer Security (TLS) encryption in flight to prevent access of data in transit. TLS authentication can also be used to defeat man-in-the-middle attacks and to provide a level of client authentication.
Encryption at rest: an enterprise feature that allows data files on disk to be encrypted.
A variety of authentication mechanisms to determine a user’s identity, including username/password, key file, Kerberos, and OAuth.
A role-based authorization system that controls access to data and to system commands.
Logging options that allow for tracking of user access. Standard logging allows tracking of authentication events and SQL executions, while audit logging allows for fine-grained tracking ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098100230Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

CockroachDB: The Definitive Guide

by Guy Harrison, Jesse Seldess, Ben Darnell

Chapter 13. Security

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.