Security quickstart

Like many databases, the Cassandra-based CQL uses rolenames and passwords for internal authentication. Role-based authentication applies to both users and roles to enforce authorization. Roles can represent either actual individual users or roles that users are granted in CQL.

Cassandra is configured with a default superuser role and password pair of cassandra/cassandra by default. Using this role, additional roles are created using CQL commands. To secure the system, this default role should be deleted once one non-default superuser has been created.

Let’s look at an example of securing CQL users.

Roles-based access control (RBAC)

roles

In order to create a role, a user must have:

  • login privileges

  • either a superuser role assigned already OR

  • a non-superuser role already assigned that grants permissions for the role to create roles

Role with login privileges

Create a role named alice is with login privileges:

CREATE ROLE IF NOT EXISTS alice
WITH LOGIN = true
  AND PASSWORD = 'enjoyLife';

The concept of a user is not a separate entity in CQL; only roles exist. You assign a role to a user, so that you can grant them additional roles and/or permissions. Superuser privileges allow a role to perform any database operations. Roles are created with superuser or non-superuser status, and with or without login privileges.

Role with all permissions on a keyspace

Create a cycling_admin role, and then assign that role access to all the functionality of the cycling keyspace:

CREATE ROLE IF NOT EXISTS cycling_admin
  WITH PASSWORD = 'All4One2day!';
GRANT ALL PERMISSIONS ON KEYSPACE cycling TO cycling_admin;

The cycling_admin role is granted all permissions on the keyspace cycling in the second command. Those permissions are CREATE, ALTER, DROP, SELECT, MODIFY, AUTHORIZE, DESCRIBE, and EXECUTE.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com