GRANT PERMISSION
Grants access to data resources to a role. Database resources are database objects that store or modify data, such as keyspaces, tables, and functions. Permissions are applied immediately, even to active client sessions.
Enable authentication and authorization in the |
Syntax
GRANT <permission> ON <resource> TO <role_name> ;
Syntax legend
Syntax conventions | Description |
---|---|
UPPERCASE |
Literal keyword. |
Lowercase |
Not literal. |
|
Variable value. Replace with a user-defined value. |
|
Optional.
Square brackets ( |
|
Group.
Parentheses ( |
|
Or.
A vertical bar ( |
|
Repeatable.
An ellipsis ( |
|
Single quotation ( |
|
Map collection.
Braces ( |
Set, list, map, or tuple.
Angle brackets ( |
|
|
End CQL statement.
A semicolon ( |
|
Separate the command line options from the command arguments with two hyphens ( |
|
Search CQL only: Single quotation marks ( |
|
Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files. |
Access control matrix tables
In the following tables, the hierarchy of permissions is shown for each resource type, as well as the permissions that can be granted on each resource.
Data resources
Cassandra database objects on which permissions are applied. Database resources have modelled hierarchy, the permission on a top level object gives the role the same permission on the objects ancestors.
Resource permissions
Type of access a role has to a database resource.
The following hierarchy is true for data:
ALL KEYSPACES
> KEYSPACE <keyspace_name>
> ALL TABLES IN KEYSPACE <keyspace_name>
> TABLE <table_name>
> '<filtering_data>' ROWS IN <table_name>
Resource type: Data
Privilege | Resource | Permissions |
---|---|---|
ALL PERMISSIONS |
|
All operations that are applicable to the resource and its ancestors, where resource name is listed below. |
ALTER |
ALL KEYSPACES |
ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, RESTRICT ROW in any keyspace. |
ALTER |
KEYSPACE |
ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, and RESTRICT ROW in specified keyspace. |
ALTER |
TABLE |
ALTER TABLE and RESTRICT ROW of specified table. |
CREATE |
ALL KEYSPACES |
CREATE KEYSPACE, CREATE TABLE, CREATE FUNCTIONS, and CREATE TYPE in any keyspace. |
CREATE |
KEYSPACE |
CREATE TABLE and CREATE TYPE in specified keyspace. |
DROP |
ALL KEYSPACES |
DROP KEYSPACE, DROP TABLE, and DROP TYPE in any keyspace |
DROP |
KEYSPACE |
DROP TABLE and DROP TYPE in specified keyspace |
DROP |
TABLE |
DROP TABLE specified. |
MODIFY |
|
MODIFY on rows that exactly match the |
MODIFY |
ALL KEYSPACES |
INSERT, UPDATE, DELETE, and TRUNCATE on any table. |
MODIFY |
KEYSPACE |
INSERT, UPDATE, DELETE, and TRUNCATE on any table in specified keyspace. |
MODIFY |
TABLE |
INSERT, UPDATE, DELETE, and TRUNCATE on specified table. |
SELECT |
|
SELECT on rows that exactly match the |
SELECT |
ALL KEYSPACES |
SELECT on any table. |
SELECT |
KEYSPACE |
SELECT on any table in specified keyspace. |
SELECT |
TABLE |
SELECT on specified table. |
The following hierarchy is true for JMX resources:
ALL MBEANS
> MBEAN <mbean_name>
and MBEANS <pattern>
Resource type: JMX
Privilege | Resource | Permissions |
---|---|---|
DESCRIBE |
ALL MBEANS |
Retrieve metadata about any mbean from the platform’s MBeanServer. |
DESCRIBE |
MBEAN |
Retrieve metadata about a named mbean from the platform’s MBeanServer. |
DESCRIBE |
MBEANS pattern |
Retrieve metadata about any mbean matching a wildcard pattern from the platform’s MBeanServer. |
EXECUTE |
ALL MBEANS |
Execute operations on any mbean. |
EXECUTE |
MBEAN |
Execute operations on named mbean. |
EXECUTE |
MBEANS pattern |
Execute operations on any mbean matching a wildcard pattern. |
MODIFY |
ALL MBEANS |
Call setter methods on any mbean. |
MODIFY |
MBEAN |
Call setter methods on named mbean. |
MODIFY |
MBEANS pattern |
Call setter methods on any mbean matching a wildcard pattern. |
SELECT |
ALL MBEANS |
Call getter methods on any mbean. |
SELECT |
MBEAN |
Call getter methods on named mbean. |
SELECT |
MBEANS pattern |
Call getter methods on any mbean matching a wildcard pattern. |
Examples
Grant simple permission on a resource to a role
-
Grant the
ALTER
permission on the keyspacecycling
to thecoach
role:
GRANT ALTER ON KEYSPACE cycling TO coach;
-
Grant the
SELECT
permission on all keyspaces to theteam_manager
role:
GRANT SELECT ON ALL KEYSPACES TO team_manager;
-
Grant
EXECUTE
on functions to theteam_manager
role:
GRANT EXECUTE ON FUNCTION cycling.fLog(double) TO team_manager;
Grant all permissions on a resource to a role
-
Grant all permissions on the keyspace
cycling
to thecycling_admin
role:
GRANT ALL PERMISSIONS ON KEYSPACE cycling TO cycling_admin;
Grant AUTHORIZE permission on a resource to a role
-
Grant the
AUTHORIZE
permission on all keyspaces to thesys_admin
role:
GRANT AUTHORIZE ON ALL KEYSPACES TO sys_admin;
-
Grant the
AUTHORIZE
permission on the keyspacecycling
to thecycling_admin
role:
GRANT AUTHORIZE ON KEYSPACE cycling TO cycling_admin;
-
Grant the
AUTHORIZE
permission on the tablecycling.birthday_list
to thesam
role:
GRANT AUTHORIZE ON TABLE cycling.birthday_list TO sam;
Manage permissions using GRANT
and REVOKE
.
A role can only modify permissions of another role and can only modify ( |
-
Assign the role full access to the cycling keyspace:
GRANT ALL PERMISSIONS ON KEYSPACE cycling TO cycling_admin;
-
Now assign the role to the coach.
GRANT cycling_admin TO coach;
This allows you to manage the permissions of all cycling administrators by modifying the
cycling_admin
role. -
View the coach’s permissions.
CREATE ROLE IF NOT EXISTS coach WITH LOGIN = true AND PASSWORD = 'All4One2day!';
Use AUTHORIZE
to allow a role to manage access control of specific resources.
-
Allow role to grant any permission type, including
AUTHORIZE
, on all objects in the cycling keyspace:GRANT AUTHORIZE ON KEYSPACE cycling TO cycling_admin;
This makes the role a superuser in the cycling keyspace because roles can modify their own permissions as well as roles that they inherit permissions from.
-
Allow the
sam
role to assign permission to run queries and change data in the cycling keyspace on a specific table:GRANT AUTHORIZE ON TABLE cycling.birthday_list TO sam;