Model Hub architecture
The Hackolade Model Hub is a new product licensed separately from Hackolade Studio. It includes a security-first database and portal entirely controlled by the customer. Contrary to many SaaS solutions, we do not collect, process, or store any of your information, data, or data models. This serverless architecture gives you full control of the residency for your data models, and is described in the diagram below:
Hackolade does not host anything: not the database, not the replication agent, and not the portal application. You install the database and replication service on your own Oracle Cloud Infrastructure account, using a script that we provide. And we publish the application on a Content Delivery Network like Azure Front Door or AWS CloudFront, while you continue to maintain, store, and access your data models inside the network entirely controlled by you.
The main benefits of this architecture are that you remain in complete control of your data while always running the latest version of the Hub software, and without having to deploy software to your users.
Security-first, bring-your-own-storage approach
Hackolade Model Hub is a unique security-first platform in the sense that we maintain, enhance, and regularly publish the application, but your data models remain entirely under your control. Your data and data models are never sent to us.
Why the Oracle Autonomous JSON database on Oracle Cloud Infrastructure?
The data models created and maintained with Hackolade Studio are persisted in files with an open JSON format. This was a conscious choice made during the initial design of the application back in 2015, and which has been instrumental in our our ability to deliver as we have been able to. And it was also foreseen from the start that those data models could reside in Git repositories and also be stored in a NoSQL document database.
For this Model Hub product, literally every significant document database on the market was evaluated against a strict list of evaluation criteria, including: ability to store large documents, API access, indexing capabilities across deeply nested objects and arrays, rules mechanisms, security, authentication mechanisms, scalability, total cost of ownership, etc.
The choice has been made to base our product on the Oracle Autonomous JSON database. AJD provides a combination of SQL tables and JSON collections, combined with data APIs and functions to give us the necessary flexibility and power to satisfy all of our requirements.
The autonomous aspect of the database service is important to deliver elastic scalability and fast query performance without administration. No need to configure or manage any hardware or install any software. AJD handles provisioning, backup, patching and upgrading, and growing or shrinking the database.
Oracle Cloud Infrastructure includes a variety of deployment options: public cloud, private cloud, hybrid cloud, community cloud, and government cloud. It is even possible to deploy OCI in the customer data center.
OCI places a significant emphasis on security, integrating a comprehensive set of features and technologies that help businesses safeguard their operations.
Based on customer needs and feedback, we chose the database and hosting technology that best fits the needs for the Hackolade Model Hub. The installation of your database takes place on your OCI account. Hackolade has no access to your instance which remains 100% within your control. OCI costs are charged to your account. Installation is scripted by us in an Infrastructure-as-Code approach, and executed by you, the customer. We of course provide instructions, documentation, and support.
We are fully committed to data security and privacy
Because none of your sensitive data leaves your infrastructure and is never stored on our servers, Hackolade Model Hub is a platform which lets you comply with data protection certifications (ISO 27000, 27001 and 27002) and GDPR:
- we do not track your use of the https://hub.hackolade.com website - there are no cookies, no advertisements, no analytics, no browser fingerprinting, and no tracking beacons;
- Hackolade Model Hub does not allow your data models to be stored on our servers.
The serverless architecture addresses any security or confidentiality concern users might have with a SaaS platform. Many Software-as-a-Service solutions host not only the software but also your data, sometimes with certification programs such as ISO 27001 or SOC 2. While security concerns are legitimate for full SaaS solutions, they are simply not applicable in the case of the browser deployment of the Hackolade Model Hub, as we never collect or store any of your data or data models. We also do not collect any telemetry. Nothing.
The secure cloud CDN architecture takes a zero-trust approach to protect against automated bots, injection attacks and application-layer denial-of-service attacks.
Always run the latest and greatest version of Hackolade Model Hub
With the browser deployment of Hackolade Model Hub, there is no effort necessary to always have access to the latest feature enhancements.
The question is sometimes asked whether the browser deployment of the Hackolade Model Hub portal could be run on an internal server in your organization. While it would technically be possible, we do not offer this possibility. The reasons are:
- it would remove the main benefit of this architecture, i.e. that you would always access the latest version of the application. We'd be back in the situation where you'd be dependent on your IT Department's validation, installation and deployment of each new version of our software;
- it would require to support a server-based product, which is an entirely different business model.
Browser deployment architecture
For those interested in the inner workings, Azure Front Door and AWS CloudFront deliver our static application content to you from the edge location closest to you in terms of latency. Processing takes place in your browser and never leaves your network. No data or telemetry is being collected by Hackolade from the processing of your data models. Your data models are persisted locally and never leave your network.
WAF and DDoS protections are enabled using the respective capabilities of Azure Front Door and AWS CloudFront.
Overview of the instance architecture
Your instance is created in your own OCI account with a script that you can obtain from us when you purchase the Hub product. The script creates all the necessary components for the Hub to function autonomously, according to the architecture diagram below:
Oracle provides the autonomous JSON database (AJD). This database can act like a collection of documents (in our case data models), accepting JSON data without any constraint and running queries on it later. Oracle offers standard SQL tables and collections. The idea behind collections is that Oracle provides a table with predefined columns, one of which is JSON. We can take it on a case-by-case basis, but having a standard table gives us the greatest flexibility by having a column of type JSON to store the models and any extra column when needed.
The JSON type in Oracle can store up to 32MB of compressed data with its OSON format. Storing the JSON in textual format can increase the limit to 2GB, but we lose the ability to run queries on the JSON without serializing it, which can be costly. So far, all our test schemas fit in the 32MB, so supporting bigger schemas shouldn't be the nominal case but rather exceptional, which we will address in a later iteration.
Oracle Rest Data Services (ORDS): ORDS provides features like REST APIs for the data in the database by offering ways to automatically create REST endpoints per table or by letting a developer create custom endpoints.
AutoREST automatically creates CRUD endpoints for a table but is limited in terms of the queries we can run and cannot select the columns we want.
In terms of security, ORDS defines privileges that allow users to access a resource if they have it. When integrating with a 3rd party authentication system, the privilege must be added to the JWT token.
The OCI functions supports NodeJS 20 and many other languages. They run in a Docker container, meaning any library on NPM could be installed.
In combination with API Gateway, the function can be called from an endpoint to support calls from a Webhook.
The sync of hck.json files will be handled by an OCI function, which will receive a webhook for the git repository to download the changes and apply them to the database.