Document toolboxDocument toolbox

Design Doc

Owned by Dwayne Jeng (Unlicensed)
Aug 24, 2015

Overview

The Bridge User Data Download (BUDD) Service is the name of a stack that includes the following pieces:

  • A way for the user to request user data.
  • An asynchronous BUDD Daemon, which processes the request and gathers health data from AWS.
  • A way for the user to get their data back from the BUDD Daemon.

Specifics in the following sections.

Requesting User Data

Alternative #1: BridgePF API and SQS Queue

The user calls the requestUserData API, which lives in BridgePF. The user will pass in start date and end date (we can limit the time range to something like a week to make sure they don't brown out our system; also they can use this to get incremental updates of their data). BridgePF will then write the start and end date, along with health code and email address, to an SQS queue and return OK to the user.

The SQS queue will contain entries representing a request for health data, containing health code, email address, start date, and end date. These entries will be consumed by the BUDD Daemon.

Pros:

  • We only have one front-end for all user interaction (BridgePF).
  • Apps can integrate with this API without having to configure an entirely separate end point.
  • Much cheaper to build compared to a web portal.

Cons:

  • Potential security risk from having both email address and health code in SQS, even if only temporarily. (Even just the email address may be a security risk.)

Alternative #2: Web Portal

Users log into a web portal using their Bridge credentials and submit a user data request through the web portal. This request will include the start date and end date. (Again, we can limit the time range.) The BUDD Daemon is an asynchronous process on the same host that handles this request.

Pros:

  • If we're building a web portal for returning user data, might as well use the same web portal for requesting it too.
  • Security is simpler, since everything lives in a single system that's protected by the user's Bridge credentials.

Cons:

  • More expensive compared to building a BridgePF API and an SQS queue.
  • Users need to get their Bridge credentials from the apps, which may or may not be easy.

Recommendation

Building a web portal is significantly more expensive than building a BridgePF API and an SQS queue. However, the security concerns for not having email address and health code (or even just email address) living in SQS while "in transit" potentially more than justifies the cost.

Recommendation: Web Portal

BUDD Daemon

The BUDD Daemon is either a process running in EC2 that consumes an SQS queue or a process running in the web portal, depending on other design decisions. (TBD What framework? How is this deployed?) The BUDD Daemon processes user data requests by querying the Upload table in DDB and the Upload bucket in S3, downloading the files, decrypting them, bundling them up, and uploading the bundle to S3.

One possible optimization is to make Upload Validation save the decrypted archive file in S3, probably in a structure that looks like: /[healthCode]/[date], so the BUDD Daemon doesn't have to do this work again. However, we'd have to backfill about 4 months worth of data, and we expect user data requests to be sparse, so it's not clear whether this is worth the effort to backfill.

Returning User Data

Alternative #1: Email with S3 Pre-signed URL

The BUDD Daemon generates an S3 pre-signed URL that points to the user's requested data, and emails it to that user. For security, the pre-signed URL expires after 24 hours.

Pros:

  • Much cheaper compared to building a web portal.

Cons:

  • If the email is intercepted, somebody could use the S3 link to get the user's data.
  • If the link expires, the user either needs to request their data again (starting the whole process over again), or we need a way to create a new S3 pre-signed URL from an existing user data request (which increases complexity and cost of this solution).

Alternative #2: Web Portal

The BUDD Daemon notifies the user view email that their data is available on the web portal. The user logs onto the web portal, and go to their completed request. The web portal generates an S3 pre-signed URL, which the user can click to download. For security, the pre-signed URL expires after 5 minutes (we can tweak this up or down depending on security concerns vs user convenience). If the user needs to download their data again, they can log in again and go to the completed request, and the web portal will generate a new S3 pre-signed URL.

Pros:

  • If we're building a web portal for requesting user data, might as well use the same web portal for returning it too.
  • Better security around the S3 link, since it's not sent out externally, and the expiry time can be much shorter.
  • Better story for the user generating a new S3 link after the old one expires.

Cons:

  • More expensive compared to building a BridgePF API and an SQS queue.
  • Users need to get their Bridge credentials from the apps, which may or may not be easy.

Recommendation

Again, building a web portal is significantly more expensive than just sending out an email. But the web portal has a much better story for security and for generating a new link after the old one expires. Plus, if we're already building a web portal for requesting user data, we might as well use it for returning it too.

Recommendation: Web Portal

Web Portal Design

The web portal will be built with the following components:

  • Spring Web MVC framework w/ Spring Boot - Given the lack of support for Play Framework, we decided to try using Spring MVC instead.
  • AWS Elastic Beanstalk - We found that Heroku is too simple and too restrictive for our use-case. On the other end of the spectrum, AWS OpsWorks is powerful but incredibly complex. We chose Elastic Beanstalk because it gives us enough power to do what we need to do without the restrictions of Heroku. Additionally, Heroku is currently only available in US an EU, while Elastic Beanstalk is available anywhere AWS is available.
  • Travis - Travis is a hosted solution while Jenkins requires us to build and maintain our own infrastructure. In the interest of rapid development, we chose to use Travis over Jenkins. We also considered AWS Code Pipeline. Unfortunately, Code Pipeline doesn't host any builds itself and requires Jenkins as a build solution.
  • Maven - Maven was chosen as a dependency management system because it's well-supported and most (if not all) Sage engineers are already familiar with Maven.

Future Improvements

These are things we want for future versions, but not things we need for the initial launch.

  • (user convenience) JavaScript on web portal to poll the status of a request.
  • (optimization) Pre-compute download bundles, if it turns out user data is requested more often than not.
  • (optimization) Map-Reduce
  • (cleanup) Cleanup task to delete old user requests and user-requested data.