| = 29. Cassandra mailbox deletion cleanup |
| |
| Date: 2020-04-12 |
| |
| == Status |
| |
| Accepted (lazy consensus) |
| |
| == Context |
| |
| Cassandra is used within distributed James product to hold messages and mailboxes metadata. |
| |
| Cassandra holds the following tables: |
| |
| * mailboxPathV2 + mailbox allowing to retrieve mailboxes informations |
| * acl + UserMailboxACL hold denormalized information |
| * messageIdTable & imapUidTable allow to retrieve mailbox context information |
| * messageV2 table holds message metadata |
| * attachmentV2 holds attachments for messages |
| * References to these attachments are contained within the attachmentOwner and attachmentMessageId tables |
| |
| Currently, the deletion only deletes the first level of metadata. |
| Lower level metadata stay unreachable. |
| The data looks deleted but references are actually still present. |
| |
| Concretely: |
| |
| * Upon mailbox deletion, only mailboxPathV2 & mailbox content is deleted. |
| messageIdTable, imapUidTable, messageV2, attachmentV2 & attachmentMessageId metadata are left undeleted. |
| * Upon mailbox deletion, acl + UserMailboxACL are not deleted. |
| * Upon message deletion, only messageIdTable & imapUidTable content are deleted. |
| messageV2, attachmentV2 & attachmentMessageId metadata are left undeleted. |
| |
| This jeopardize efforts to regain disk space and privacy, for example through blobStore garbage collection. |
| |
| == Decision |
| |
| We need to cleanup Cassandra metadata. |
| They can be retrieved from dandling metadata after the delete operation had been conducted out. |
| We need to delete the lower levels first so that upon failures undeleted metadata can still be reached. |
| |
| This cleanup is not needed for strict correctness from a MailboxManager point of view thus it could be carried out asynchronously, via mailbox listeners so that it can be retried. |
| |
| == Consequences |
| |
| Mailbox listener failures lead to eventBus retrying their execution, we need to ensure the result of the deletion to be idempotent. |