LIST PERMISSIONS
List the permissions, filtered by either resource and/or role.
When using this command, you can omit the ON
clause to display all related resources or omit the OF
clause to display all role permissions.
A role must have the DESCRIBE
permission on the target resources and roles to list their permissions.
Only superusers can list all permissions.
Syntax
LIST ( ALL PERMISSIONS | <permission_list> )[ ON <resource_name> ] [ OF <role_name> ][ NORECURSIVE ] ;
Syntax legend
Syntax conventions | Description |
---|---|
UPPERCASE |
Literal keyword. |
Lowercase |
Not literal. |
|
Variable value. Replace with a user-defined value. |
|
Optional.
Square brackets ( |
|
Group.
Parentheses ( |
|
Or.
A vertical bar ( |
|
Repeatable.
An ellipsis ( |
|
Single quotation ( |
|
Map collection.
Braces ( |
Set, list, map, or tuple.
Angle brackets ( |
|
|
End CQL statement.
A semicolon ( |
|
Separate the command line options from the command arguments with two hyphens ( |
|
Search CQL only: Single quotation marks ( |
|
Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files. |
Access control matrix tables
In the following tables, the hierarchy of permissions is shown for each resource type, as well as the permissions that can be granted on each resource.
Data resources
Cassandra database objects on which permissions are applied. Database resources have modelled hierarchy, the permission on a top level object gives the role the same permission on the objects ancestors.
Resource permissions
Type of access a role has to a database resource.
The following hierarchy is true for data:
ALL KEYSPACES
> KEYSPACE <keyspace_name>
> ALL TABLES IN KEYSPACE <keyspace_name>
> TABLE <table_name>
> '<filtering_data>' ROWS IN <table_name>
Resource type: Data
Privilege | Resource | Permissions |
---|---|---|
ALL PERMISSIONS |
|
All operations that are applicable to the resource and its ancestors, where resource name is listed below. |
ALTER |
ALL KEYSPACES |
ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, RESTRICT ROW in any keyspace. |
ALTER |
KEYSPACE |
ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, and RESTRICT ROW in specified keyspace. |
ALTER |
TABLE |
ALTER TABLE and RESTRICT ROW of specified table. |
CREATE |
ALL KEYSPACES |
CREATE KEYSPACE, CREATE TABLE, CREATE FUNCTIONS, and CREATE TYPE in any keyspace. |
CREATE |
KEYSPACE |
CREATE TABLE and CREATE TYPE in specified keyspace. |
DROP |
ALL KEYSPACES |
DROP KEYSPACE, DROP TABLE, and DROP TYPE in any keyspace |
DROP |
KEYSPACE |
DROP TABLE and DROP TYPE in specified keyspace |
DROP |
TABLE |
DROP TABLE specified. |
MODIFY |
|
MODIFY on rows that exactly match the |
MODIFY |
ALL KEYSPACES |
INSERT, UPDATE, DELETE, and TRUNCATE on any table. |
MODIFY |
KEYSPACE |
INSERT, UPDATE, DELETE, and TRUNCATE on any table in specified keyspace. |
MODIFY |
TABLE |
INSERT, UPDATE, DELETE, and TRUNCATE on specified table. |
SELECT |
|
SELECT on rows that exactly match the |
SELECT |
ALL KEYSPACES |
SELECT on any table. |
SELECT |
KEYSPACE |
SELECT on any table in specified keyspace. |
SELECT |
TABLE |
SELECT on specified table. |
The following hierarchy is true for functions:
ALL FUNCTIONS
> ALL FUNCTIONS IN KEYSPACE <keyspace_name>
and FUNCTION <keyspace_name.function_name>(<argument_types>)
Resource type: Functions
Privilege | Resource | Permissions |
---|---|---|
ALTER |
ALL FUNCTIONS |
CREATE FUNCTION and CREATE AGGREGATE, also replace existing. |
ALTER |
ALL FUNCTIONS IN KEYSPACE |
CREATE FUNCTION and CREATE AGGREGATE, also replace existing in specified keyspace |
ALTER |
FUNCTION |
CREATE FUNCTION and CREATE AGGREGATE, also replace existing. |
CREATE |
ALL FUNCTIONS |
CREATE FUNCTION in any keyspace and CREATE AGGREGATE in any keyspace. |
CREATE |
ALL FUNCTIONS IN KEYSPACE |
CREATE FUNCTION and CREATE AGGREGATE in specified keyspace. |
DROP |
ALL FUNCTIONS |
DROP FUNCTION and DROP AGGREGATE in any keyspace. |
DROP |
ALL FUNCTIONS IN KEYSPACE |
DROP FUNCTION and DROP AGGREGATE in specified keyspace. |
DROP |
FUNCTION |
DROP FUNCTION specified function. |
EXECUTE |
ALL FUNCTIONS |
SELECT, INSERT, and UPDATE using any function, and use of any function in CREATE AGGREGATE. |
EXECUTE |
ALL FUNCTIONS IN KEYSPACE |
SELECT, INSERT, and UPDATE using any function in specified keyspace and use of any function in a keyspace in CREATE AGGREGATE. |
EXECUTE |
FUNCTION |
SELECT, INSERT, and UPDATE using specified function, and use of the function in CREATE AGGREGATE. |
The following hierarchy is true for JMX resources:
ALL MBEANS
> MBEAN <mbean_name>
and MBEANS <pattern>
Resource type: JMX
Privilege | Resource | Permissions |
---|---|---|
DESCRIBE |
ALL MBEANS |
Retrieve metadata about any mbean from the platform’s MBeanServer. |
DESCRIBE |
MBEAN |
Retrieve metadata about a named mbean from the platform’s MBeanServer. |
DESCRIBE |
MBEANS pattern |
Retrieve metadata about any mbean matching a wildcard pattern from the platform’s MBeanServer. |
EXECUTE |
ALL MBEANS |
Execute operations on any mbean. |
EXECUTE |
MBEAN |
Execute operations on named mbean. |
EXECUTE |
MBEANS pattern |
Execute operations on any mbean matching a wildcard pattern. |
MODIFY |
ALL MBEANS |
Call setter methods on any mbean. |
MODIFY |
MBEAN |
Call setter methods on named mbean. |
MODIFY |
MBEANS pattern |
Call setter methods on any mbean matching a wildcard pattern. |
SELECT |
ALL MBEANS |
Call getter methods on any mbean. |
SELECT |
MBEAN |
Call getter methods on named mbean. |
SELECT |
MBEANS pattern |
Call getter methods on any mbean matching a wildcard pattern. |
The following hierarchy is true for roles:
ALL ROLES
> ROLE <role_name>
Resource type: Role management
Privilege | Resource | Permissions |
---|---|---|
ALTER |
ALL ROLES |
ALTER ROLE on any role. |
ALTER |
ROLE |
ALTER ROLE for specified role. |
AUTHORIZE |
|
GRANT privilege and REVOKE privilege on the resource. Note: Roles are resources. Requires that user has AUTHORIZE on the resource. |
CREATE |
ALL ROLES |
CREATE ROLE. |
DESCRIBE |
ALL ROLES |
LIST privilege on all roles or only roles granted to another specified role. |
DROP |
ALL ROLES |
Drop all roles. |
DROP |
ROLE |
Drop the specified role. |
PROXY.EXECUTE |
ROLE |
After authenticating issue individual requests as a different user. |
PROXY.LOGIN |
ROLE |
After authenticating issue all requests as a different user. |
|
|
Grant role (as a set of permissions) to another role. Requires AUTHORIZE permission on the permission role and target role. |
The following hierarchy is true for search indexes:
ALL SEARCH INDICES
> SEARCH KEYSPACE <keyspace_name>
> SEARCH INDICES [<keyspace_name>.]<table_name>
> SEARCH INDEX <keyspace_name>.<table_name>
Resource type: Search index
Privilege | Resource | Permissions |
---|---|---|
ALL PERMISSIONS |
ALL SEARCH INDICES |
All search index privileges for all search indexes in the system. |
ALL PERMISSIONS |
SEARCH KEYSPACE |
All search index privileges for all tables in specified keyspace. |
ALL PERMISSIONS |
SEARCH INDEX |
All search index privileges for specified table. |
SEARCH.ALTER |
ALL SEARCH INDICES |
ALTER SEARCH INDEX on all tables in all keyspaces. |
SEARCH.ALTER |
SEARCH KEYSPACE |
ALTER SEARCH INDEX on all tables in specified keyspace. |
SEARCH.ALTER |
SEARCH INDEX |
ALTER SEARCH INDEX on specified table. |
SEARCH.COMMIT |
ALL SEARCH INDICES |
COMMIT SEARCH INDEX on all tables in all keyspaces. |
SEARCH.COMMIT |
SEARCH KEYSPACE |
COMMIT SEARCH INDEX on all tables in specified keyspace. |
SEARCH.COMMIT |
SEARCH INDEX |
COMMIT SEARCH INDEX on specified table. |
SEARCH.CREATE |
ALL SEARCH INDICES |
CREATE SEARCH INDEX on all tables in all keyspaces. |
SEARCH.CREATE |
SEARCH KEYSPACE |
CREATE SEARCH INDEX on all tables in specified keyspace. |
SEARCH.CREATE |
SEARCH INDEX |
CREATE SEARCH INDEX on specified table. |
SEARCH.DROP |
ALL SEARCH INDICES |
DROP SEARCH INDEX on all tables in all keyspaces. |
SEARCH.DROP |
SEARCH KEYSPACE |
DROP SEARCH INDEX on all tables in specified keyspace. |
SEARCH.DROP |
SEARCH INDEX |
DROP SEARCH INDEX on specified table. |
SEARCH.REBUILD |
ALL SEARCH INDICES |
REBUILD SEARCH INDEX on any table in all keyspaces. |
SEARCH.REBUILD |
SEARCH KEYSPACE |
REBUILD SEARCH INDEX on all tables in specified keyspace. |
SEARCH.REBUILD |
SEARCH INDEX |
REBUILD SEARCH INDEX on specified table. |
SEARCH.RELOAD |
ALL SEARCH INDICES |
RELOAD SEARCH INDEX on all tables in all keyspaces. |
SEARCH.RELOAD |
SEARCH KEYSPACE |
RELOAD SEARCH INDEX on all tables in specified keyspace. |
SEARCH.RELOAD |
SEARCH INDEX |
RELOAD SEARCH INDEX on specified table. |
The following hierarchy is true for Spark application workpools:
ANY WORKPOOL
> WORKPOOL <datacenter_name>.*
> `WORKPOOL <datacenter_name>.<workpool_name>
The following hierarchy is true for Spark application submissions:
ANY SUBMISSION
> ANY SUBMISSION IN WORKPOOL <datacenter_name>.*
> SUBMISSION <application_ID>
Resource type: Spark applications
Privilege | Resource | Permissions |
---|---|---|
CREATE |
ANY WORKPOOL |
Submit an application to the work pool in any datacenter. |
CREATE |
WORKPOOL |
Submit an application to the work pool in a specific datacenter. |
MODIFY |
ANY SUBMISSION |
Manage any applications across all datacenters. |
MODIFY |
ANY SUBMISSION IN WORKPOOL |
Manage applications in a specified datacenter. |
MODIFY |
SUBMISSION application_ID IN WORKPOOL |
Manage a single application in a specified datacenter. |
- role_name
-
Selects a role. If the role name has capital letters or special characters enclose it in single quotes.
- NORECURSIVE
-
Only display permissions granted to the role. By default permissions checks are recursive, and show direct and inherited permissions.
List output
The list command shows the following information:
LIST ALL PERMISSION OF role1;
Results
role | username | resource | permission | granted | restricted | grantable
-------+----------+--------------------+------------+---------+------------+-----------
role1 | role1 | <keyspace cycling> | DROP | False | True | True
role1 | role1 | <keyspace cycling> | AUTHORIZE | True | True | False
role2 | role2 | <keyspace cycling> | CREATE | True | False | False
role3 | role3 | <keyspace cycling> | DROP | False | False | True
role3 | role3 | <keyspace cycling> | UPDATE | True | False | False
(5 rows)
Output columns
Column | Description |
---|---|
|
The name of the role that the permission was granted or authorized on. |
|
If the role is associated with a legacy user account the user name displays, else the role name displays. |
|
The resource name in angle brackets. |
|
The name of the permission.
When |
|
|
|
|
|
|
Example
All permissions for all roles and resources
List permissions given to all the roles on all resources:
LIST ALL PERMISSIONS;
Individual role permissions
List all permissions given to sam:
LIST ALL PERMISSIONS OF sam;
Results
role | username | resource | permission
------+----------+-------------------------------+------------
sam | sam | <table cycling.birthday_list> | AUTHORIZE
(1 rows)
All permissions on a resource
List all permissions on the cyclist_name table:
LIST ALL PERMISSIONS ON cycling.cyclist_name OF team_manager;
Output is:
role | username | resource | permission
--------------+--------------+-----------------+------------
sys_admin | sys_admin | <all keyspaces> | AUTHORIZE
team_manager | team_manager | <all keyspaces> | SELECT
(2 rows)