Secure database objects

Authentication based on internally controlled rolename/passwords

Internal authentication allows roles-based access control (RBAC) to CQL keyspaces and tables using an associated password. Users with an appropriate role and password can use CQL commands to do CRUD operations on data or authorize and assign roles. Users can be assigned one or more roles for authentication purposes. Roles can be created with superuser, non-superuser, and login privileges. CQL authentication values are stored internally in CQL system tables.

The same internal authentication is also used by cqlsh to authenticate connections to Cassandra clusters and sstableloader to load SSTables.

Authorization based on object permission management

Authorization grants access permissions to CQL commands based on role authentication. Authorization can grant permission to access the entire database or restrict a role to an individual table access. Roles can be granted authorization to authorize other roles. Roles can be granted to roles. Roles can also be revoked to delete permissions or roles.

Authorization can also restrict access to to database objects in a table based on the role authentication, even if assigned a role that have access to the object. RESTRICT and UNRESTRICT commands can be used to control access to database objects. Authorization can also grant access permissions to row-level data based on the role authentication. Row-level-based control (RLAC) is a feature of DataStax Enterprise (DSE) that allows you to control access to individual rows in a table based on the role authentication. RESTRICT ROWS and UNRESTRICT ROWS commands can be used to control access to individual rows in a table.

Using authentication and authorization

The cassandra.yaml file must be configured to use authentication and authorization.

See the Secure Quickstart for information on roles and how to use them to manage access to database objects.

If roles exist and Cassandra is configured to use authentication, cqlsh must be executed with optional authentication options. See cqlsh with authentication for additional information.

See also:

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000,