How to provide 'only insert' privilege to a role in Cassandra?

Question

I am creating a keyspace in Cassandra and I would like to provide different permissions like Insert and update only, delete only etc. Cassandra provides MODIFY privilege as a whole. But I could not find any resources as to how this can be done to meet my requirement.

As of now, For example, if a role 'clerk' can only insert, I am planning to provide MODIFY privilege to 'clerk' and write a trigger to avoid deletes from that role.

This feels like a roundabout tour. Is this a good way? Can it be done in a better or straight-forward way?

Answer 1

There is a fundamental reason why this is not possible. One of the claims to fame of Cassandra is its very efficient writes, even on slow-seeking spinning disks. This is achieved by making writes just write, to contiguous disk files - without reading the previous version of the data first. One of the consequences of this is that in Cassandra, an INSERT and UPDATE operation are exactly the same (there's actually one difference regarding empty rows, but it's not interesting for this discussion). Both operations can create a new item, or modify an existing item, and Cassandra wouldn't know which at the time of the write - it will only figure this out much later, while compacting old and new data together.

In particular this means you cannot have separate permissions to add new data vs. modify existing data, because at the time of the write Cassandra cannot figure out if there is pre-existing data or not, without sacrificing performance. Beyond performance, there is also a question of correctness in a distributed setting - what would you expect to happen if two clients concurrently write new data to the same row, and both are only allowed to write new data but not to overwrite old data?

For the same reason, it is also rather pointless to have separate permissions for the DELETE operation on rows or partitions. The thing is, one can delete data with UPDATE or INSERT operations as well: One can UPDATE data to be null, or update it to have a TTL (expiration time) of 0, or overwrite the data with other data. So forbidding only the actual "DELETE" operation is hardly a protection against anything.