How to set role permissions.
Authentication and authorization should be set based on roles, rather than users. Authentication and authorization for Cassandra 2.2 and later are based on roles, and user commands are included only for legacy backwards compatibility.
Roles may be granted to other roles to create hierarchical permissions structures; in
these hierarchies, permissions and
SUPERUSER status are inherited,
LOGIN privilege is not.
ALL KEYSPACES > KEYSPACE > TABLE. Functions are hierarchical in the following manner:
ALL FUNCTIONS > KEYSPACE > FUNCTION.
ROLEScan also be hierarchical and encompass other
ROLES. Permissions can be granted on:
- CREATE - keyspace, table, function, role, index
- ALTER - keyspace, table, function, role
- DROP - keyspace, table, function, role, index
- SELECT - keyspace, table
- MODIFY - INSERT, UPDATE, DELETE, TRUNCATE - keyspace, table
- AUTHORIZE - GRANT PERMISSION, REVOKE PERMISSION - keyspace, table, function, role, MBean (in Cassandra 3.6 and later)
- DESCRIBE - LIST ROLES
- EXECUTE - SELECT, INSERT, UPDATE - functions
The first line grants anyone with the team_manager role
the ability to
INSERT, UPDATE, DELETE, and TRUNCATEany table in the keyspace cycling. The second line grants anyone with the sys_admin role the ability to view all roles in the database.
GRANT MODIFY ON KEYSPACE cycling TO team_manager; GRANT DESCRIBE ON ALL ROLES TO sys_admin;
The first line revokes
SELECTin all keyspaces for anyone with the team_manager role. The second line prevents the team_manager role from executing the named function
REVOKE SELECT ON ALL KEYSPACES FROM team_manager; REVOKE EXECUTE ON FUNCTION cycling.fLog(double) FROM team_manager;
All permissions can be listed, for either all keyspaces or a single
LIST ALL PERMISSIONS OF sandy; LIST ALL PERMISSIONS ON cycling.cyclist_name OF chuck;
Grant permission to drop all functions, including aggregate in the current
GRANT DROP ON ALL FUNCTIONS IN KEYSPACE TO coach;