GRANT
Defines resource authorization.
Assigns privileges to roles on database resources, such as keyspaces, tables, functions.
Synopsis
GRANT privilege
ON resource_name
TO role_name
Syntax conventions | Description |
---|---|
UPPERCASE | Literal keyword. |
Lowercase | Not literal. |
Italics |
Variable value. Replace with a user-defined value. |
[] |
Optional. Square brackets ( [] ) surround optional command
arguments. Do not type the square brackets. |
( ) |
Group. Parentheses ( ( ) ) identify a group to choose from. Do
not type the parentheses. |
| |
Or. A vertical bar ( | ) separates alternative elements. Type
any one of the elements. Do not type the vertical bar. |
... |
Repeatable. An ellipsis ( ... ) indicates that you can repeat
the syntax element as often as required. |
'Literal string' |
Single quotation ( ' ) marks must surround literal strings in
CQL statements. Use single quotation marks to preserve upper case. |
{ key : value } |
Map collection. Braces ( { } ) enclose map collections or key
value pairs. A colon separates the key and the value. |
<datatype1,datatype2> |
Set, list, map, or tuple. Angle brackets ( < > ) enclose
data types in a set, list, map, or tuple. Separate the data types with a comma.
|
cql_statement; |
End CQL statement. A semicolon ( ; ) terminates all CQL
statements. |
[--] |
Separate the command line options from the command arguments with two hyphens (
-- ). This syntax is useful when arguments might be mistaken for
command line options. |
' <schema> ... </schema> ' |
Search CQL only: Single quotation marks ( ' ) surround an
entire XML schema declaration. |
@xml_entity='xml_entity_type' |
Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files. |
- privilege
-
Permissions granted on a resource to a role; grant a privilege at any level of the resource hierarchy.
The full set of available privileges is:
- ALL PERMISSIONS
- ALTER
- AUTHORIZE
- CREATE
- DESCRIBE
- DROP
- EXECUTE
- MODIFY
- SELECT
- resource_name
-
Cassandra database objects to which permissions are applied.
The full list of available objects is:- ALL FUNCTIONS
- ALL FUNCTIONS IN KEYSPACE keyspace_name
- FUNCTION function_name
- ALL KEYSPACES
- KEYSPACE keyspace_name
- TABLE table_name
- ALL ROLES
- ROLE role_name
Access control matrix
- Data resources: ALL KEYSPACES > KEYSPACE > TABLE table_name.
- Functions: Includes user defined functions and aggregates, ALL FUNCTIONS > KEYSPACE > FUNCTION function_name.
- Roles: ALL ROLES > ROLE role_name.
Not all privileges apply to every type of resource. For instance, EXECUTE
is only relevant in the context of functions and mbeans. Attempting to grant privileges on a
resource that the permission is not applicable results in an error.
The following table shows the relationship between privileges and resources, and describes the resulting permissions.
Privilege | Resource | Permissions |
---|---|---|
ALL | resource_name | All operations that are applicable to the resource and its ancestors. |
CREATE | ALL KEYSPACES | CREATE KEYSPACE and CREATE TABLE in any keyspace. |
CREATE | KEYSPACE keyspace_name | CREATE TABLE in specified keyspace. |
CREATE | ALL FUNCTIONS | CREATE FUNCTION in any keyspace and CREATE AGGREGATE in any keyspace. |
CREATE | ALL FUNCTIONS IN KEYSPACE keyspace_name | CREATE FUNCTION and CREATE AGGREGATE in specified keyspace. |
CREATE | ALL ROLES | CREATE ROLE |
ALTER | ALL KEYSPACES | ALTER KEYSPACE and ALTER TABLE in any keyspace. |
ALTER | KEYSPACE keyspace_name | ALTER KEYSPACE and ALTER TABLE in specified keyspace. |
ALTER | TABLE table_name | ALTER TABLE specified table. |
ALTER | ALL FUNCTIONS | CREATE FUNCTION and CREATE AGGREGATE, also replace existing. |
ALTER | ALL FUNCTIONS IN KEYSPACE keyspace_name | CREATE FUNCTION and CREATE AGGREGATE: , also replace existing in specified keyspace |
ALTER | FUNCTION function_name | CREATE FUNCTION and CREATE AGGREGATE, also replace existing. |
ALTER | ALL ROLES | ALTER ROLE on any role |
ALTER | ROLE role_name | ALTER ROLE specified role. |
DROP | ALL KEYSPACES | DROP KEYSPACE and DROP TABLE in any keyspace |
DROP | KEYSPACE keyspace_name | DROP TABLE in specified keyspace |
DROP | TABLE table_name | DROP TABLE specified. |
DROP | ALL FUNCTIONS | DROP FUNCTION and DROP AGGREGATE in any keyspace. |
DROP | ALL FUNCTIONS IN KEYSPACE keyspace_name | DROP FUNCTION and DROP AGGREGATE in specified keyspace. |
DROP | FUNCTION function_name | DROP FUNCTION specified function. |
DROP | ALL ROLES | DROP ROLE on any role. |
DROP | ROLE role_name | DROP ROLE specified role. |
SELECT | ALL KEYSPACES | SELECT on any table. |
SELECT | KEYSPACE keyspace_name | SELECT on any table in specified keyspace. |
SELECT | TABLE table_name | SELECT on specified table. |
SELECT | ALL MBEANS | Call getter methods on any mbean. |
SELECT | MBEANS pattern | Call getter methods on any mbean matching a wildcard pattern. |
SELECT | MBEAN mbean_name | Call getter methods on named mbean. |
MODIFY | ALL KEYSPACES | INSERT, UPDATE, DELETE and TRUNCATE on any table. |
MODIFY | KEYSPACE keyspace_name | INSERT, UPDATE, DELETE and TRUNCATE on any table in specified keyspace. |
MODIFY | TABLE table_name | INSERT, UPDATE, DELETE and TRUNCATE on specified table. |
MODIFY | ALL MBEANS | Call setter methods on any mbean. |
MODIFY | MBEANS pattern | Call setter methods on any mbean matching a wildcard pattern. |
MODIFY | MBEAN mbean_name | Call setter methods on named mbean. |
AUTHORIZE | ALL KEYSPACES | GRANT PERMISSION and REVOKE PERMISSION on any table. |
AUTHORIZE | KEYSPACE keyspace_name | GRANT PERMISSION and REVOKE PERMISSION on any table in specified keyspace. |
AUTHORIZE | TABLE table_name | GRANT PERMISSION and REVOKE PERMISSION on specified table. |
AUTHORIZE | ALL FUNCTIONS | GRANT PERMISSION and REVOKE PERMISSION on any function. |
AUTHORIZE | ALL FUNCTIONS IN KEYSPACE keyspace_name | GRANT PERMISSION and REVOKE PERMISSION in specified keyspace. |
AUTHORIZE | FUNCTION function_name | GRANT PERMISSION and REVOKE PERMISSION on specified function. |
AUTHORIZE | ALL ROLES | GRANT ROLE and REVOKE ROLE on any role. |
AUTHORIZE | ROLES | GRANT ROLE and REVOKE ROLE on specified roles |
DESCRIBE | ALL ROLES | LIST ROLES on all roles or only roles granted to another, specified role. |
DESCRIBE | ALL MBEANS | Retrieve metadata about any mbean from the platform's MBeanServer. |
EXECUTE | ALL FUNCTIONS | SELECT, INSERT and UPDATE using any function, and use of any function in CREATE AGGREGATE. |
EXECUTE | ALL FUNCTIONS IN KEYSPACE keyspace_name | SELECT, INSERT and UPDATE using any function in specified keyspace and use of any function in keyspace in CREATE AGGREGATE. |
EXECUTE | FUNCTION function_name | SELECT, INSERT and UPDATE using specified function and use of the function in CREATE AGGREGATE. |
role_name | resource_name | Roles are a collection of privileges; grant all the privileges in a role on a any resource. |
Examples
In most environments, user authentication is handled by a plug-in that verifies users credentials against an external directory service such as LDAP. The CQL role is mapped to the external group by matching the role name to a group name. For simplicity, these examples use internal users.
Give the role coach permission to perform SELECT
queries on all tables in all keyspaces:
GRANT SELECT ON ALL KEYSPACES TO coach;
Give the role manager permission to perform INSERT
,
UPDATE
, DELETE
and TRUNCATE
queries on
all tables in the field keyspace.
GRANT MODIFY ON KEYSPACE field TO manager;
Give the role coach permission to perform ALTER
KEYSPACE
queries on the cycling keyspace, and also
ALTER TABLE
, CREATE INDEX
and DROP
INDEX
queries on all tables in cycling keyspace:
GRANT ALTER ON KEYSPACE cycling TO coach;
Give the role coach permission to run all types of queries on cycling.name table.
GRANT ALL PERMISSIONS ON cycling.name TO coach;
Create an administrator role with full access to cycling.
GRANT ALL ON KEYSPACE cycling TO cycling_admin;