Database roles
How to create and work with roles.
Roles enable authorization management on a larger scale than security per user can provide. A role is created and may be granted to other roles. Hierarchical sets of permissions can be created. For more information, see Role Based Access Control in Cassandra.
Procedure
-
Create a role with a password.
IF NOT EXISTS
is included to ensure a previous role definition is not overwritten.cqlsh> CREATE ROLE IF NOT EXISTS team_manager WITH PASSWORD = 'RockIt4Us!';
-
Create a role with
LOGIN
andSUPERUSER
privileges.LOGIN
allows a client to identify as this role when connecting.SUPERUSER
grants the ability to create roles unconditionally if the role hasCREATE
permissions.cqlsh> CREATE ROLE sys_admin WITH PASSWORD = 'IcanDoIt4ll' AND LOGIN = true AND SUPERUSER = true;
-
Alter a role to change options. A role with
SUPERUSER
status can alter theSUPERUSER
status of another role, but not the role currently held.PASSWORD
,LOGIN
, andSUPERUSER
can be modified withALTER ROLE
. To modify properties of a role, the user must haveALTER
permission.cqlsh> ALTER ROLE sys_admin WITH PASSWORD = 'All4one1forAll' AND SUPERUSER = false;
-
Grant a role to a user or a role. To execute
GRANT
andREVOKE
statements requiresAUTHORIZE
permission on the role being granted/revoked.cqlsh> GRANT sys_admin TO team_manager; GRANT team_manager TO sandy;
-
List roles of a user.
cqlsh> LIST ROLES; LIST ROLES OF sandy;
Note:NORECURSIVE
is an option to discover all roles directly granted to a user. WithoutNORECURSIVE
, transitively acquired roles are also listed.
-
Revoke role that was previously granted to a user or a role. Any permission
that derives from the role is revoked.
cqlsh> REVOKE sys_admin FROM team_manager; REVOKE team_manager FROM sandy;
-
Drop role that is not a current role. User must be a
SUPERUSER
.DROP ROLE IF EXISTS sys_admin;