A team is developing a stateless docker container with the Cassandra database to be run under Kubernetes, with all data and metadata files shipped inside the container, so putting the database into a read-only mode would be ideal. The app to be connected with this database is an infrequently updated feature store.

How to approximate read-only mode as closely as possible, specifically in case of Cassandra or perhaps even in general (if some actions undertaken here are in common)?

CodePudding user response：

There is readOnly field in volume mounts, so specify that in your app yaml file or you can run the app process as a non-root user(read about SecurityContext) and have permissions defined on your file like only root user can write to this file

CodePudding user response：

Enable both authentication and authorization in your Cassandra image with:

authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer

Then provision a new role with only view permissions to the keyspace/tables you want them to access, for example:

CREATE ROLE readonlyrole WITH LOGIN = false AND PASSWORD 'Som3Pa$$word';
GRANT SELECT ON KEYSPACE appks TO readonlyrole;

This role will not be able to login and will only have read access to the app keyspace. Cheers!