Managing object permissions using internal authorization

Use GRANT/REVOKE to grant or revoke permissions to access Cassandra data.

You use the familiar relational database GRANT/REVOKE paradigm to grant or revoke permissions to access Cassandra data. A superuser grants initial permissions, and subsequently a user may or may not be given the permission to grant/revoke permissions. Object permission management is independent of authentication (works with Kerberos or Cassandra).

CQL supports the following authorization statements:

Accessing system resources 

Read access to these system tables is implicitly given to every authenticated user because the tables are used by most Cassandra tools:

  • system.schema_keyspace
  • system.schema_columns
  • system.schema_columnfamilies
  • system.local
  • system.peers


CassandraAuthorizer is one of many possible IAuthorizer implementations, and the one that stores permissions in the system_auth.permissions table to support all authorization-related CQL statements. Configuration consists mainly of changing the authorizer option in the cassandra.yaml as described in Configuring internal authentication and authorization.

Note: You must set internal authentication and authorization at the same time.