Managing object permissions using internal authorization
Use GRANT/REVOKE to grant or revoke permissions to access Cassandra data.
You use the familiar relational database GRANT/REVOKE paradigm to grant or revoke permissions to access Cassandra data. A superuser grants initial permissions, and subsequently a user may or may not be given the permission to grant/revoke permissions. Object permission management is independent of authentication (works with Kerberos or Cassandra).
CQL supports the following authorization statements:
Accessing system resources
Read access to these system tables is implicitly given to every authenticated user because the tables are used by most Cassandra tools:
- system.schema_keyspace
- system.schema_columns
- system.schema_columnfamilies
- system.local
- system.peers
Configuration
CassandraAuthorizer is one of many possible IAuthorizer implementations, and the one that stores permissions in the system_auth.permissions table to support all authorization-related CQL statements. Configuration consists mainly of changing the authorizer option in cassandra.yaml as described in Configuring internal authentication and authorization.
Package installations | /etc/dse/cassandra/cassandra.yaml |
Tarball installations | install_location/resources/cassandra/conf/cassandra.yaml |