CREATE ROLE
Creates a cluster-wide database object used for access control to database resources, such as keyspaces, tables, functions. Use roles to:
-
Define a set of permissions that can be assigned to other roles and mapped to external users.
-
Create login accounts for CQL users.
(Not recommended for production environments.)
A full-access login account |
Synopsis
CREATE ROLE [ IF NOT EXISTS ] <role_name> [ WITH [ SUPERUSER = ( true | false ) ] [ [ AND ] LOGIN = ( true | false ) ] ( WITH PASSWORD = '<role_password>' | WITH HASHED PASSWORD = '<hashed_role_password>' ) [ WITH ACCESS TO DATACENTERS '<set_literal> | WITH ACCESS TO ALL DATACENTERS'] [ [ AND ] OPTIONS = { <option_map> } ] ] ;
Syntax legend
Syntax conventions | Description |
---|---|
UPPERCASE |
Literal keyword. |
Lowercase |
Not literal. |
|
Variable value. Replace with a user-defined value. |
|
Optional.
Square brackets ( |
|
Group.
Parentheses ( |
|
Or.
A vertical bar ( |
|
Repeatable.
An ellipsis ( |
|
Single quotation ( |
|
Map collection.
Braces ( |
Set, list, map, or tuple.
Angle brackets ( |
|
|
End CQL statement.
A semicolon ( |
|
Separate the command line options from the command arguments with two hyphens ( |
|
Search CQL only: Single quotation marks ( |
|
Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files. |
- role_name
-
Use a unique name for the role. DataStax Enterprise forces all names to lowercase; enclose in quotes to preserve case or use special characters in the name.
To automatically map external users to roles with DSE Unified Authenticator, the role name must exactly match the LDAP group name, including case. |
- SUPERUSER
An account with the |
- LOGIN
-
True allows the role to log in. Use true to create login accounts for internal authentication, PasswordAuthenticator, or DSE Unified Authenticator. Default: false.
- WITH PASSWORD | WITH HASHED PASSWORD
-
Enclose the password or hashed password in single quotes. Internal authentication requires a password or hashed password. ==== Roles for users authenticated by an external directory, such as DSE Unified Authenticator, must have login enabled with no password or hatched password.
- OPTIONS = { <option_map> }
-
Reserved for use with authentication plug-ins. Refer to the authenticator documentation for details.
Examples
Creating a login account
-
Create a login role for coach.
CREATE ROLE IF NOT EXISTS coach WITH PASSWORD = 'All4One2day!' AND LOGIN = true;
If a hashed password is used, use
WITH HASHED PASSWORD
:CREATE ROLE IF NOT EXISTS coach WITH HASHED PASSWORD = '$2a$10$8ht4.R2aar38wyXdJxHzj.Ww8xDL5wBYGt1SJ2l46N34MBjLSyD.e' AND LOGIN = true;
Internal authentication requires the role to have a password or hashed password. The hashed password was generated with the DSE tool
hash_password -p All4One2day!
. -
Verify that the account works by logging in:
LOGIN coach
-
Enter the password at the prompt.
Password:
-
The cqlsh prompt includes the role name:
coach@cqlsh>
Creating a role
A best practice when using internal authentication is to create separate roles for permissions and login accounts. Once a role has been created it can be assigned as permission to another role, see GRANT for more details. Roles for externally authenticators users are mapped to the user’s group name. LDAP mapping is case sensitive.
Create a role for the cycling keyspace
administrator, that is a role that has full permission to only the cycling keyspace.
-
Create the role:
CREATE ROLE IF NOT EXISTS cycling_admin;
At this point the role has no permissions. Manage permissions using
GRANT
andREVOKE
.A role can only modify permissions of another role and can only modify (
GRANT
orREVOKE
) role permissions that it also has. -
Assign the role full access to the cycling keyspace:
GRANT ALL PERMISSIONS ON KEYSPACE cycling TO cycling_admin;
-
Now assign the role to the coach.
GRANT cycling_admin TO coach;
This allows you to manage the permissions of all cycling administrators by modifying the
cycling_admin
role. -
View the coach’s permissions.
LIST ALL PERMISSIONS OF coach;
Changing a password
A role can change the password or hashed password for itself, or another role that it has permission to modify. A superuser can change the password or hashed password of any role. Use ALTER to change a role’s password:
ALTER ROLE sandy
WITH PASSWORD = 'bestTeam';
or with a hashed password:
ALTER ROLE sandy
WITH HASHED PASSWORD = '$2a$10$Mvs4GDHlNG8MhYe5SFi7ge1R1SMbScIPVtKReSEKpqwcQOvep0Zqq';