LIST PERMISSIONS
List of permissions. Filter list by resource and/or role.
Restriction:
-
Only superusers can list all permissions.
-
Requires
DESCRIBE
permission on the target resources and roles.
Synopsis
LIST ( ALL PERMISSIONS | <permission_list> ) [ ON <resource_name> ] [ OF <role_name> ] [ NORECURSIVE ] ;
Omit |
Syntax legend
Syntax conventions | Description |
---|---|
UPPERCASE |
Literal keyword. |
Lowercase |
Not literal. |
|
Variable value. Replace with a user-defined value. |
|
Optional.
Square brackets ( |
|
Group.
Parentheses ( |
|
Or.
A vertical bar ( |
|
Repeatable.
An ellipsis ( |
|
Single quotation ( |
|
Map collection.
Braces ( |
Set, list, map, or tuple.
Angle brackets ( |
|
|
End CQL statement.
A semicolon ( |
|
Separate the command line options from the command arguments with two hyphens ( |
|
Search CQL only: Single quotation marks ( |
|
Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files. |
List options
- privilege
-
For DSE 5.1 only. Permissions granted on a resource to a role; grant a privilege at any level of the resource hierarchy. The full set of available privileges is:
-
ALL PERMISSIONS
-
ALTER
-
AUTHORIZE
-
CREATE
-
DESCRIBE
-
DROP
-
EXECUTE
-
MODIFY
-
PROXY.EXECUTE
-
PROXY.LOGIN
-
SEARCH.ALTER
-
SEARCH.COMMIT
-
SEARCH.CREATE
-
SEARCH.DROP
-
SEARCH.REBUILD
-
SEARCH.RELOAD
-
SELECT
-
- <permission>
-
Type of access a role has on a database resource. Use
ALL PERMISSIONS
or a comma separated list of permissions.Permissions are resource-specific as follows:
-
Data -
ALL PERMISSIONS
orALTER
,AUTHORIZE [FOR <permission_list>]
,CREATE
,DESCRIBE
,DROP
,MODIFY
(deprecated),SELECT
,TRUNCATE
, orUPDATE
(allowsINSERT
,UPDATE
, orDELETE
) -
Functions (and aggregates) -
ALL PERMISSIONS
orALTER
,AUTHORIZE [FOR <permission_list>]
,CREATE
, andDROP
-
Search indexes -
AUTHORIZE [FOR <permission_list>]
,SEARCH.ALTER
,SEARCH.COMMIT
,SEARCH.CREATE
,SEARCH.DROP
,SEARCH.REBUILD
, andSEARCH.RELOAD
-
Roles -
ALL PERMISSIONS
orALTER
,AUTHORIZE [FOR <permission_list>]
,CREATE
,DESCRIBE
,DROP
,PROXY.EXECUTE
, andPROXY.LOGIN
-
JMX (MBeans) -
ALL PERMISSIONS
orAUTHORIZE [FOR <permission_list>]
,DESCRIBE
,EXECUTE
,MODIFY
, andSELECT
-
Remote procedure calls (RPC) -
ALL PERMISSIONS
orAUTHORIZE [FOR <permission_list>]
,EXECUTE
,MODIFY
, andSELECT
-
Authentication schemes -
ALL PERMISSIONS
orAUTHORIZE [FOR <permission_list>]
andEXECUTE
-
Spark workpools -
ALL PERMISSIONS
orAUTHORIZE [FOR <permission_list>]
,CREATE
, andDESCRIBE
-
Spark submissions -
ALL PERMISSIONS
orAUTHORIZE [FOR <permission_list>]
,DESCRIBE
, andMODIFY
-
To manage access control the role must have authorize permission on the resource for the type of permission.
When |
|
- <resource_name>
-
Apache Cassandra® database objects on which permissions are applied. Database resources have modelled hierarchy, the permission on a top level object gives the role the same permission on the objects ancestors. Identify the resource using the following keywords:
-
Data -
ALL KEYSPACES
>KEYSPACE
<keyspace_name> >ALL TABLES IN KEYSPACE
<keyspace_name> >TABLE <table_name>
>'<filtering_data>' ROWS IN <table_name>
-
Function (including aggegrates) -
ALL FUNCTIONS
,ALL FUNCTIONS IN KEYSPACE <keyspace_name>
, andFUNCTION <keyspace_name.function_name>(<argument_types>)
-
Search indexes -
ALL SEARCH INDICES
> SEARCH KEYSPACE <keyspace_name> >SEARCH INDICES [<keyspace_name>.]<table_name>
-
JMX MBeans -
ALL MBEANS > MBEAN <mbean_name>
andMBEANS <pattern>
-
Remote procedure calls (RPC) -
ALL REMOTE CALLS
>REMOTE METHOD <name>
|REMOTE OBJECT <name>
-
Roles -
ALL ROLES
>ROLE <role_name>
-
Authentication schemes -
ALL SCHEMES
>LDAP
|KERBEROS
|INTERNAL
-
Analytic applications
-
Workpools -
ANY WORKPOOL
>WORKPOOL '<dc_name>.*'
>WORKPOOL '<dc_name>.<workpool_name>'
-
Submissions -
ANY SUBMISSION
>ANY SUBMISSION IN WORKPOOL '<datacenter_name>.*' > '<datacenter_name>.<workpool_name>' > SUBMISSION <ID>
endif::[]
-
-
- role_name
-
Selects a role. If the role name has capital letters or special characters enclose it in single quotes.
- NORECURSIVE
-
Only display permissions granted to the role. By default permissions checks are recursive; it shows direct and inherited permissions.
List output
The list command shows the following information:
list all permissions of role1;
role | username | resource | permission | granted | restricted | grantable
-------+----------+--------------------+------------+---------+------------+-----------
role1 | role1 | <keyspace cycling> | DROP | False | True | True
role1 | role1 | <keyspace cycling> | AUTHORIZE | True | True | False
role2 | role2 | <keyspace cycling> | CREATE | True | False | False
role3 | role3 | <keyspace cycling> | DROP | False | False | True
role3 | role3 | <keyspace cycling> | UPDATE | True | False | False
(5 rows)
- role
-
The name of the role that the permission was granted or authorized on.
- username
-
If the role is associated with a legacy user account the user name displays, else the role name displays.
- resource
-
The resource name in angle brackets.
- permission
-
The name of the permission.
When |
- granted
-
-
True
- Execute commands granted by the permission on the resource. When AUTHORIZE is granted equals true, the users with the role can grant other permissions that have granted to them on the resource to other roles. -
False
- Users cannot execute the permission commands.
-
- restricted
-
-
True
- Denies execution of the commands associated with the permission on the resource even if granted is true. If grantable is true, users with the role can still AUTHORIZE roles other than their own. -
False
- Users can execute commands that have granted equal to true.
-
- grantable
-
-
True
- Allows grant or revoke of the permission on the resource to another role, other than any of their own roles. -
False
- AUTHORIZE FOR permission has not been granted.
-
Example
All permissions for all roles and resources
List permissions given to all the roles on all resources:
LIST ALL PERMISSIONS;
Individual role permissions
List all permissions given to sam:
LIST ALL PERMISSIONS OF sam;
Output is:
role | username | resource | permission | granted | restricted | grantable
------+----------+--------------------+------------+---------+------------+-----------
sam | sam | <keyspace cycling> | SELECT | False | False | True
sam | sam | <keyspace cycling> | UPDATE | False | False | True
(2 rows)
All permissions on a resource
List all permissions on the cyclist_name table:
LIST ALL PERMISSIONS ON cycling.cyclist_name;
Output is:
role | username | resource | permission | granted | restricted | grantable
---------------+---------------+------------------------------+------------+---------+------------+-----------
cassandra | cassandra | <keyspace cycling> | CREATE | True | False | False
cassandra | cassandra | <keyspace cycling> | ALTER | True | False | False
cassandra | cassandra | <keyspace cycling> | DROP | True | False | False
cassandra | cassandra | <keyspace cycling> | SELECT | True | False | False
cassandra | cassandra | <keyspace cycling> | UPDATE | True | False | False
cassandra | cassandra | <keyspace cycling> | AUTHORIZE | True | False | False
cassandra | cassandra | <keyspace cycling> | DESCRIBE | True | False | False
cassandra | cassandra | <table cycling.cyclist_name> | ALTER | True | False | False
cassandra | cassandra | <table cycling.cyclist_name> | DROP | True | False | False
cassandra | cassandra | <table cycling.cyclist_name> | SELECT | True | False | False
cassandra | cassandra | <table cycling.cyclist_name> | UPDATE | True | False | False
cassandra | cassandra | <table cycling.cyclist_name> | AUTHORIZE | True | False | False
coach | coach | <keyspace cycling> | ALTER | True | False | False
coach | coach | <keyspace cycling> | SELECT | True | False | False
coach | coach | <keyspace cycling> | UPDATE | True | False | False
cycling_admin | cycling_admin | <keyspace cycling> | CREATE | True | False | False
cycling_admin | cycling_admin | <keyspace cycling> | ALTER | True | False | False
cycling_admin | cycling_admin | <keyspace cycling> | DROP | True | False | False
cycling_admin | cycling_admin | <keyspace cycling> | SELECT | True | False | False
cycling_admin | cycling_admin | <keyspace cycling> | UPDATE | True | False | False
cycling_admin | cycling_admin | <keyspace cycling> | AUTHORIZE | True | False | False
cycling_admin | cycling_admin | <keyspace cycling> | DESCRIBE | True | False | False
db_admin | db_admin | <keyspace cycling> | SELECT | False | True | False
db_admin | db_admin | <keyspace cycling> | UPDATE | False | True | False
dbadmin | dbadmin | <all keyspaces> | CREATE | True | False | False
dbadmin | dbadmin | <all keyspaces> | ALTER | True | False | False
dbadmin | dbadmin | <all keyspaces> | DROP | True | False | False
dbadmin | dbadmin | <all keyspaces> | SELECT | True | False | False
dbadmin | dbadmin | <all keyspaces> | UPDATE | True | False | False
dbadmin | dbadmin | <all keyspaces> | AUTHORIZE | True | False | False
dbadmin | dbadmin | <all keyspaces> | DESCRIBE | True | False | False
role_admin | role_admin | <keyspace cycling> | SELECT | False | True | False
role_admin | role_admin | <keyspace cycling> | UPDATE | False | True | False
sam | sam | <keyspace cycling> | SELECT | False | False | True
sam | sam | <keyspace cycling> | UPDATE | False | False | True
(35 rows)