Managing object permissions using internal authorization

Use GRANT/REVOKE to grant or revoke permissions to access Cassandra data.

You use the familiar relational database GRANT/REVOKE paradigm to grant or revoke permissions to access Cassandra data. A superuser grants initial permissions, and subsequently a user may or may not be given the permission to grant/revoke permissions. Object permission management is independent of authentication (works with Kerberos or Cassandra).

CQL supports the following authorization statements:

Accessing system resources

Read access to these system tables is implicitly given to every authenticated user because the tables are used by most Cassandra tools:

system.schema_keyspace
system.schema_columns
system.schema_columnfamilies
system.local
system.peers

Configuration

CassandraAuthorizer is one of many possible IAuthorizer implementations, and the one that stores permissions in the system_auth.permissions table to support all authorization-related CQL statements. Configuration consists mainly of changing the authorizer option in cassandra.yaml as described in Configuring internal authentication and authorization.

Note: You must set internal authentication and authorization at the same time.

The location of the cassandra.yaml file depends on the type of installation:

Package installations	/etc/cassandra/cassandra.yaml
Tarball installations	`install_location`/resources/cassandra/conf/cassandra.yaml