Unsafe operations terminology and operational hazards
One of the features we are working on have the notion of a consensus cluster, as well as the ability to force a new cluster if a majority of the nodes in the cluster are down. The details aren’t important, but the first iteration of the UI went something like this:
Initialize new cluster is an unsafe operation, it make the current node into a single node cluster (which obviously has its own majority), and Take over a node will force a node that is part of an existing cluster to joint the current cluster, bypassing the usual safety measures. The Leave cluster command is for usual behavior, when you want to safely remove a node from the cluster.
We had a few problems with this UI (note that it was there simply to make it easy to test the behavior of the system, so don’t get too hang up on the first draft).
One problem we had is that this is shown front and center. It isn’t an operation that we want to make it easy for the admin to run accidently (maybe through just exploring the interface).
That is easy, just drop it into an “Advanced” section, right? But I also had an issue with the terminology. It is too.. bland.
Instead, we are going to rename the buttons as follow:
- Go AWOL from cluster – step down into a single node cluster.
- Kidnap node into cluster – force a node to the current cluster.
The idea with this terminology is that it is obvious (hopefully) that those aren’t standard operations, and that you should consider them carefully.
I’m not sure about Go AWOL, because that might be a very US centric term, other things we consider are:
- Abrogate cluster
- Repudiate cluster
For the same logic.
Thoughts?
Comments
Actually I would have kept the orginal terms. Clarity is way more important than 'protecting' an click and point administrator. If an administrator is so incredible stupid to experiment with an production cluster, than it is his right!
To protect against accidental hits on the very big 'leave cluster' button, you can ask the admin to enter 3 digit number that is displayed to confirm the action. But leaving and joining an cluster are defacto industry terms which makes it easier for admins coming from other data storage solutions to get an handle on RavenDB.
Dave, See this post for my answer: http://ayende.com/blog/172065/unsafe-operations-terminology-and-operational-hazards-the-end-result?key=dddb3c493d4a4393a98b7078f9f9a893
I like it.
Other terms that might work instead of kidnap: coup d'état, mutiny. But kidnap does have the benefit of implying that you're probably taking the whole cluster with you. Maybe "hostile takeover"?
Instead of "go AWOL": cecede. At least that would give the picture of splitting in two, but it might not be clear that you're leaving to start out on your own. I'm not sure everyone would be familiar with the words abrogate or repudiate.
Less US-centric: a node could "divorce" or "marry" a cluster.
Daniel, I like those suggestions
"Break-up with cluster and start a new" - Breakup implies forced separation (unilateral), withouth settling the side efects, therefore might be a good term.
"Kidnap ..." sounds awesome.
"Forsake cluster", "Ditch cluster" "Defect cluster" - Sound a bit more dramatic
Ah terminology ... always tricky. I like some of the suggestions. Two more alternatives: "Split from cluster to start a new one" "Steal node from cluster to join new cluster"
The issue is that these options have a certain impact and risk that cannot be explained in the button alone and you want the end user to acknowledge that he/she knows what will happen when they proceed. Be bland and use terminology that is explanative but make sure the end user is fully aware of the consequences of his action by displaying a dialog with the impact.
"By forcing a node in the current cluster we bypass security measure. Using this option comes with risks; data might nog be in sync resulting in data loss. Are you sure you want to proceed?"
I agree with m. Schopman's points around context and that additional information beyond that which is on the button is critical.
That being said, I feel that the current plan (and Daniel's suggestions) aren't quite right, and possibly over-complicated.
AWOL is US military vocabulary, so that's probably a no-go.
If I understand the behavior correctly, terms/phrases I would suggest would be: - Abandon the cluster - Downsize to single-node cluster
As for the other behavior, kidnap is intuitive but a little dark. Coming from other systems I've seen: - Seize node into cluster - Steal node into cluster - Re-assign node into cluster
Hope these help.
Comment preview