A Comparison of Scalable Database Isolation Levels
It is very difficult to find accurate information about the correctness and isolation levels offered by modern distributed databases and the operational conditions required to achieve them. Developers use different terms for the same thing, the meaning of terms varies or is ambiguous, and sometimes vendors themselves do not actually know.
At Fauna, we care a lot about accurately describing which guarantees different systems provide. This is our effort to centralize a description of which database does what. For consistency’s sake, we will use the terminology from Kyle Kingsbury’s explanation on the Jepsen site. The chart is ranked by the maximum multi-partition isolation level offered.
The data is based on statements about isolation levels from vendor documentation, white papers, and developer commentary, exclusive of aspirational marketing statements. We have tried to be neutral in the characterization of the various systems' architectural properties. Whether the system implementations uphold these guarantees is addressed elsewhere. If you haven't already, please see Fauna's own Jepsen results for confirmation that Fauna upholds its guarantees.
Before we BEGIN
In discussing transactional isolation, we frequently encounter the "worse is better" argument, which essentially goes:
- This database does what it does
- Implementing better isolation in the database is impossible or has unacceptable tradeoffs
- Implementing better isolation in the application is simple and useful
This argument also goes by "it's not a bug, it's a feature".
The pretense of low maximum isolation levels, eventual consistency, or CRDTs is that application developers are ready and willing to work through every failure and recovery condition of their distributed dataflow. But in practice, moving beyond “works on my machine” correctness testing requires an extraordinary level of investment that product teams simply can not do.
In my experience, the implications of different isolation levels are very subtle. Pushing the burden to application developers—especially when there are a lot of distinct applications, like in a microservices architecture—is tremendously detrimental to productivity. And although tunable consistency increases flexibility, it cannot be used to paper over an isolation level that is fundamentally too weak to effectively compose.
After all, /dev/null is serializable, but not very useful as a database.
Distributed Databases
Distributed databases present a unified topology and do not require operator management of replication, although some, like the Percolator systems, do require management of special nodes.
Maximum isolation level | Default isolation level | Minimum isolation level | Consensus | Limitations | |
Fauna | Strict serializability | Snapshot Read/write transactions without indexes are always strictly serializable. | Snapshot | Calvin 1 with optimistic concurrency control Writes must coordinate on local log leaders. Reads can be served from any replica. | |
Google Cloud Spanner 4 | Strict serializability (and "external consistency") | Strict serializability | Snapshot (called “bounded staleness”) | Spanner 2 Writes must coordinate on partition leaders which may be remote. Reads can be served from any replica. | |
FoundationDB 5 6 | Strict serializability | Strict serializability | Snapshot | Modified Percolator 3 All queries must coordinate on the timestamp oracle. Conflict resolution is deferred until commit. | |
CockroachDB 7 8 | Serializable | Serializable | Serializable | Modified Spanner All queries must coordinate on the partition leaders for their respective keys. | Transactions with shared keys are mutually serializable, but transactions with disjoint keys can suffer “causal reversal”. Isolation is violated under clock skew. |
Yugabyte 9 | Snapshot | Snapshot | Snapshot | Spanner | Isolation is violated under clock skew. |
TiDB 10 | Repeatable read | Repeatable read | Repeatable read | Percolator All queries must coordinate on the timestamp oracle. | |
DynamoDB | Strong partition serializability | Read committed | Read committed | Paxos Multi-partition two-phase commit offers limited serializability support. | Multi-partition transactions limited to 10 primary keys with explicit read dependencies. Indexes are not serializable. Isolation is violated if there are non-transactional queries to the same keys or if global tables are used. |
CosmosDB 11 12 | Strong partition serializability | Linearizable for single-region, snapshot for multi-region | Read uncommitted | Paxos | Multi-partition transactions are not supported. |
Cassandra 13 | Strong partition serializability | Read uncommitted (aka “eventual consistency) | Read uncommitted | Single-decree Paxos | Multi-partition transactions are not supported. Isolation is violated if there are non-transactional queries to the same keys, or if global secondary indexes are used. |
MongoDB 14 | Session causality | Read uncommitted | Read uncommitted | Sharded, semi-synchronous replication with automated failover | Multi-partition transactions are not supported. Isolation is violated during partitions and shard leader election. |
Replicated Databases
Replicated databases require operator management of primaries and secondaries and the associated replication links. Asynchronous replication can improve availability and scale read capacity, but does not offer any distributed consistency guarantees. Semi-synchronous replication further improves availability, but does not improve distributed isolation.
This is the traditional RDBMS scale-out model.
Maximum isolation level | Default isolation level | Minimum isolation level | Replication architecture | Limitations | |
Oracle | Snapshot | Snapshot | Read committed | Asynchronous replication | Oracle's SERIALIZABLE isolation is not serializable, but is actually snapshot isolation with write conflict detection. This allows write skew anomalies. |
MySQL | Serializable, primary node only | Repeatable read, primary node only | Read uncommitted | Semi-synchronous replication | |
PostgreSQL | Serializable, primary node only | Read committed | Read committed | Semi-synchronous replication |
Conclusion
A good way to think about isolation is in terms of the breadth of potential anomalies. The lower the isolation level, the more types of anomalies can occur, and the harder it is to reason about application behavior both at steady-state and under faults. At Fauna, we encourage you to think critically about whether your current databases really guarantee the level of transactional isolation you need.
References
- Calvin: Fast Distributed Transactionsfor Partitioned Database Systems
- Spanner: Google’s Globally-Distributed Database
- Large-scale Incremental Processing Using Distributed Transactions and Notifications
- Cloud Spanner: TrueTime and external consistency
- FoundationDB Consistency
- FoundationDB Record Layer:A Multi-Tenant Structured Datastore
- CockroachDB's Consistency Model
- Jepsen CockroachDB beta-20160829
- YugaByte Isolation Levels
- TiDB Transaction Isolation Levels
- Consistency levels in Azure Cosmos DB
- Transactions and optimistic concurrency control
- How are Cassandra transactions different from RDBMS transactions?
- Jepsen MongoDB 3.6.4
If you enjoyed our blog, and want to work on systems and challenges related to globally distributed systems, serverless databases, GraphQL, and Jamstack, Fauna is hiring!
Subscribe to Fauna's newsletter
Get latest blog posts, development tips & tricks, and latest learning material delivered right to your inbox.