Pragmatic Lessons of Rails & Ruby in the Enterprise

RailsConf 2016

by Nathan Beyer

In the presentation 'Pragmatic Lessons of Rails & Ruby in the Enterprise,' Nathan Beyer shares his experiences utilizing Rails and Ruby at Cerner, a global healthcare technology company. Over the past 17 years at Cerner, Beyer has witnessed the evolution of web application development from its early days of limited web presence to the extensive use of Ruby on Rails across the organization. Key points discussed include:

Overview of Cerner: Cerner focuses on transforming healthcare delivery with technologies such as electronic medical records, population health initiatives, and mobile applications.
Historical Context: Cerner's journey began with C++ and ASP web development, transitioning through Java, and later adopting Rails for consumer-facing applications.
Adoption of Rails: Beyer describes how Rails was selected for builds due to its rapid development capabilities and ease of use, particularly during the development of eCommerce and mobile applications.
Service-Oriented Architecture: The shift towards cloud-based services required handling interactions through APIs, leading the team to build Ruby on Rails applications that serve as backend services for mobile clients.
Development Ecosystem: Beyer emphasizes the importance of a standardized development ecosystem, including build processes, dependency management, and compliance with regulations like FDA and HIPAA. They created an internal gem server to manage numerous Ruby libraries.
Security Considerations: Healthcare applications demand robust security, leading to detailed user event auditing and intricate access control mechanisms based on patient-provider relationships.
Lessons Learned: Beyer highlights challenges like cultural resistance to Ruby’s dynamic typing, issues around code reuse and micro-frameworks, and the need for standardized practices within large teams.

In conclusion, Beyer's talk emphasizes the transformative impact of Rails and Ruby in enterprise settings, the importance of adapting to changing technology landscapes, and how a structured development approach is crucial for effective management in healthcare tech.

00:00:09.950 All right, thank you for coming. This is the presentation on the pragmatic lessons of Rails and Ruby in the enterprise.

00:00:15.870 I wanted to start off by mentioning that I work for Cerner.

00:00:24.170 I doubt that anyone in the room knows what Cerner is unless you work here. Is there anyone outside of Cerner who knows what Cerner is? Oh, there are a couple of you. So, Cerner is a healthcare company.

00:00:38.340 Our tagline is that we believe healthcare is too important to stay the same. We are a global healthcare company trying to facilitate and change the way healthcare is delivered.

00:00:51.469 Specifically in the U.S., this means quite a few things. We spend a lot of time working with hospitals, clinical providers, networks, etc., providing them with various technologies.

00:01:05.220 Most of what you would see includes things like electronic medical records.

00:01:10.500 What I work on is part of a newer frontier for us, which is population health.

00:01:16.229 This focuses on the care of populations as a whole, trying to adjust how we approach healthcare, particularly in the U.S., moving from a system mainly motivated by pay-for-service to one driven by pay-for-care.

00:01:29.070 My name is Nathan Beyer, and my Twitter handle is @endbeyer if you’re interested. It’s not all that exciting, but feel free to follow me. I've been with Cerner for over 17 years. I guess that probably makes me old. During this time, I’ve worked with a variety of technologies, engaging primarily in open source development.

00:01:55.590 I was fortunate, or perhaps unfortunate, to be a member of the Apache Harmony project. If anyone knows what that is, it was a brief attempt to create an open-source JVM. The coolest thing we got to do was be part of Android, but then we got thrown out, so that didn't work out too well.

00:02:10.649 But what I'm here to talk about today is how we’ve utilized Rails and Ruby at Cerner. To do that, I wanted to provide a brief history of what web application development at Cerner has looked like.

00:02:34.110 We need to start off with the beginning, which is around 1999—this also happens to be when I started working at Cerner, straight out of college.

00:02:46.080 I had my computer science degree, but at the time, I knew absolutely nothing about software engineering or what it really meant to build software.

00:02:59.660 At that point, Cerner was really not doing much with web development.

00:03:04.590 They had been experimenting with an application called PowerChart, and they referred to this effort as the 'Web PowerChart.' Since most of PowerChart’s end-user portions were built in C++ on Windows desktops, the natural inclination was to create C++ DLLs and integrate them into ASP.

00:03:18.840 I don’t mean ASP.NET; I mean the pre-ASP.NET world with its strange syntax. At that time, not many people knew about web development.

00:03:32.610 So, much of the code looked like this: an enormous amount of code was written in C++ DLLs with HTML being mixed in.

00:03:48.630 Eventually, I realized that we probably shouldn't mix HTML with compiled code and instead put that in ASP to separate our concerns.

00:04:00.000 It felt like I was making a key engineering move at the corporation, but it turns out not too many people cared about that separation.

00:04:13.740 As things evolved over the years, we started utilizing more Java, as many large enterprises do. When we began using Java at Cerner, it was still met with hesitation; it hadn't quite reached the point where it was the go-to language.

00:04:28.920 But we gradually began doing various amounts of Java development for web applications. We utilized tools like Struts, which was known as Java EE or back in those days as Java 2 EE.

00:04:50.150 I was doing a lot of Java development at that time, so it was fairly familiar. Anyone who has seen servlets and Struts knows it was a bit of a mess.

00:05:06.120 This was during an era when we hadn’t quite gotten into the XML configurations; we were grappling with how to manage Java projects.

00:05:18.880 Around 2009, some teams, specifically a group called Cerner Health, focused more on consumer-oriented projects and began experimenting with Python and Django.

00:05:45.480 Though their choice was valid at the time, there was still a lot of Java development happening, primarily with Struts.

00:05:57.190 At that same time, I got an interesting assignment to build a customer-facing eCommerce store, which we called the Cerner Store.

00:06:12.990 At the time, I was not fully aware of what was going on in the Python world and didn’t collaborate much with that team.

00:06:21.520 I thought to look at what the rest of the world was doing and noticed that Rails was getting a lot of attention.

00:06:35.190 So, I decided to give Rails a try. As I started using it, I hired a couple of engineers fresh out of college, who were just as curious about it.

00:06:51.640 This is where our adventure began, utilizing a fairly standard Rails application setup. We were using Ruby Enterprise Edition, Passenger, and MySQL as our data store.

00:07:04.840 It was a simple and monolithic system that worked fairly well.

00:07:10.300 However, as our company’s needs changed, we started to see the requirement for more cloud-based development.

00:07:17.350 Prior to this, we had primarily focused on packaged software, delivering products to clients, either for them to run themselves or for us to run essentially as isolated software packages.

00:07:32.640 As we evolved towards software as a service, our technical requirements shifted.

00:07:41.370 In 2012, we had to pivot towards mobile development. What we found was that, with a connected mobile application, we still needed an application on the server side that connects to our iOS application.

00:07:58.990 I suggested using Rails to build web services to support our iOS application. This fit nicely into our development model because we could quickly build applications that were easy to use.

00:08:13.980 We began building restful services to fulfill the needs of our iOS apps.

00:08:29.390 However, this setup turned out to be non-traditional. The Rails applications didn't connect to databases directly; they interacted with services.

00:08:43.570 Part of this was my doing, as we decided to use Thrift—a binary service protocol for our RPC mechanism. I wouldn’t recommend it, but that’s what we built.

00:09:04.780 As we built these internal services using Thrift, we also recognized the need to improve our deployment automation, and this is where Chef came into play.

00:09:16.740 One of the driving forces for using Chef was its use of Ruby in defining recipes. This brought some serendipity since we were using similar languages.

00:09:34.440 About six to nine months later, I was tasked with working on the Population Health initiative, which I'm currently responsible for. We built what we call Healthy Intent, a platform providing population health services.

00:09:55.629 Healthy Intent is a software-as-a-service system that includes delivering web applications and services.

00:10:10.480 At that time, it was logical to use Rails again; we built our web applications and APIs behind the scenes using Rails. Instead of using Thrift, we dropped it.

00:10:27.639 However, we still needed to utilize a lot of Java for building internal tools.

00:10:43.820 Also, since we are involved with big data processing, that inevitably means working with Hadoop, which is always Java-centric.

00:11:02.080 In developing services for our projects like HBase, we utilized JAX-RS. At that time, we also defined what we call Blue Steel.

00:11:18.200 Some of you might get the joke, but Blue Steel is essentially an HTML, CSS, and JavaScript framework for quickly building applications.

00:11:38.130 To some extent, it is similar to Bootstrap, containing numerous components that integrate seamlessly to build applications that are consistent in style, HTML structure, and interaction.

00:11:55.190 That is where we are today—using Rails for various web and service developments.

00:12:05.220 However, it is not the only technology we use. I want to highlight some unique aspects of our environment.

00:12:19.839 These may not be entirely unique, but people may not talk about them, as they’re not always seen as cool.

00:12:28.209 One significant aspect is how we view Rails—not as a monolith, but as a single tool in our toolbox.

00:12:41.190 In the context of Healthy Intent, we have multiple Rails instances manifesting as individual applications. These applications interact with various services.

00:13:01.600 Some services are Java-based, while others we built using Rails to create simple reference services. This allows for easy creation without much complexity.

00:13:18.629 We have various data stores, including Hadoop, HBase, and Solr. We use those in parallel, and I acknowledge that HBase can handle key-value lookups but struggles with more complex queries.

00:13:38.250 So, we use Solr for search capabilities. You could say that in the wild, many people prefer Elasticsearch in this context.

00:13:55.930 Additionally, we have instances where Solr acts as both the data store and the querying mechanism. Underneath this, we have a significant big data processing system.

00:14:09.600 To illustrate the scale, although I only represent four boxes at the top, in reality, within Healthy Intent, we manage 15 to 20 substantial projects.

00:14:29.390 In broader Cerner, we likely have 50 to 100 Rails projects that are independently performing a variety of interesting functions.

00:14:40.470 So, we have a significant amount of Rails at scale.

00:14:59.340 Next, I want to touch on some unique security requirements. While not solely linked to Rails, we place a high emphasis on user event auditing.

00:15:13.760 In a clinical environment, it’s crucial to know what users are doing at every step. Hence, we have to audit every action and make these records available to the system administrators.

00:15:28.469 Hospitals and clinics need to ensure that users did not improperly access certain data, especially due to legal or malpractice situations.

00:15:45.320 Thus, we must have a comprehensive logging system where all actions taken by users can be accurately tracked. This adds complexity to our Rails code.

00:16:05.580 Surprisingly, you implement many of these audit logs at the application level, where you can gather user-related events.

00:16:22.000 An interesting feature we've explored is federated authentication, often used in applications allowing logins via Google or Facebook.

00:16:41.340 However, in our case, federated authentication involves client systems that might use SAML for integration with Active Directory. This process is often painful.

00:16:58.190 We have devised a structured session management system, creating a separation of concerns between our applications and the authentication session services.

00:17:18.420 This allows our applications to interact with a session service while we don’t need to manage the intricacies of identifying users in various authentication systems.

00:17:34.540 Another security aspect we focus on is access control. Traditional role-based access control (RBAC) categorizes users into roles like owner or publisher.

00:17:53.500 In healthcare settings, we define permissions based on a user's data relationship instead of merely their role.

00:18:08.980 It’s crucial for us to ensure that the user's relationship to the data is what allows or restricts their access to specific patient data.

00:18:22.100 In other words, a doctor has access to a patient’s medical chart only if they have a clinical relationship with that patient.

00:18:37.559 This relationship mapping creates a complex codebase to manage and enforce permissions effectively.

00:18:59.730 Furthermore, I want to touch on the development ecosystem, which is critical in ensuring the productivity of engineers working within our structure.

00:19:15.360 Within our environment, managing builds and standardizing tools is vital, including tracking libraries and ensuring consistent documentation.

00:19:32.240 Given our extensive number of Rails projects, we manage hundreds of internal libraries.

00:19:50.149 This has led us to establish our own gem server, though managing an internal gem server in the Ruby community is not straightforward.

00:20:10.170 Dealing with dependency management in Ruby is challenging; while Bundler aims to mitigate some issues, it often becomes a patchwork solution.

00:20:30.329 The complexities lead to inconsistent experiences when managing multiple gem servers.

00:20:49.610 Another critical aspect of our development ecosystem revolves around builds. These are essential given the various regulations Cerner has to comply with.

00:21:12.000 As an ISO 9001 certified company, we have to ensure compliance with FDA and HIPAA standards, as well as adhere to ethical obligations.

00:21:29.420 We put in place extensive processes that dictate how to package software effectively, ensuring thorough audits and reproducibility.

00:21:46.740 For instance, when we complete a project, we cannot simply declare it finished; we must validate it has been meticulously tagged and packaged correctly.

00:22:04.630 We also need evidence from unit tests and audits, ensuring that everything can be recreated when needed.

00:22:21.520 From these practices, we created a tool called Rollout. Each project contains a 'project.yaml' file that outlines various details like source code locations and other pertinent data.

00:22:41.900 This tool acts as an intermediary, wrapping Bundler, Ruby Gems, and our documentation and test generation.

00:22:59.879 Essentially, we automate processes like running our spec tests and dependency reports, simplifying how we manage our projects.

00:23:22.000 As with many Rails applications, keeping up to date with dependencies is essential, which can be challenging given the variety of release cycles.

00:23:40.690 Some of Cerner’s legacy software has been around for over thirty years, and updating them to more modern frameworks poses significant challenges.

00:24:02.340 Given that Rails has frequent updates, if left unattended, the accumulation of changes can lead to compatibility issues down the line.

00:24:21.890 Thus, we stay as current as we can, ensuring most of our applications are running on versions 4, 5, or 6.

00:24:38.420 Simultaneously, we emphasize careful vetting of dependencies.

00:24:54.640 Even though open-source dependencies are popular, we take the time to evaluate whether they are actively maintained and supported.

00:25:09.240 If a dependency is maintained by a single individual, it creates a risk that can impact our projects.

00:25:31.550 It’s essential that we own the code we rely on, as this ensures we can manage it in the event of unforeseen changes.

00:25:50.870 Now, I’d like to share some lessons. Beware of culture shock; despite how great Rails and Ruby are, people can be resistant simply because it’s different.

00:26:09.840 For instance, if you introduce Java developers to Ruby, they might question the need for factories or certain language-specific features.

00:26:27.470 They might also fear dynamic typing. You’ll have to spend time explaining that duck typing and loose typing are completely fine.

00:26:46.260 There’s often a misconception in the world of big data, where one sees differing attitudes toward text formats. CSV and JSON versus heavier formats like Avro.

00:27:03.900 I haven’t clearly defined this yet, but I see parallels in attitudes toward data types between static and dynamic programming.

00:27:20.510 Another frequently mismanaged concept is reuse; I've observed that many engineers want to create micro-frameworks to showcase their skills.

00:27:36.120 This mentality leads to complexity where few truly benefit, and it can escalate to hundreds of different implementations.

00:27:52.520 When managing a team of 300 engineers, variants of small frameworks become a real challenge, as everyone insists on their unique implementations.

00:28:09.300 Consequently, I get swamped managing multiple snowflake projects that can't work interchangeably.

00:28:23.640 Ultimately, these experiences underline the need for standardized practices within teams. I’m open to answering questions and discussing anything further.

00:28:45.610 If anyone is interested, I have a few reservations for the Cerner party that I can share if you ask me an engaging question.

00:29:06.520 When the exhibit halls open tomorrow, Cerner will be raffling off a gift card to Jack Stack, a fantastic barbecue restaurant.

00:29:20.810 Also, on Friday, we’re giving away a Phantom drone worth about a thousand dollars, so make sure to check that out.

00:29:36.840 You can also find Cerner team members in hoodies. If you have any questions, you can approach me at any time. Thank you all for your time.

00:29:48.480 Thank you!