CREATE ROLE
Creates a cluster-wide database role used for access control to database resources, such as keyspaces, tables, functions. Use roles to:
-
Create login accounts for CQL users.
-
Define a set of permissions that can be assigned to other roles and mapped to external users.
The best practices for using internal authentication are to create separate roles for various access permissions and login accounts.
See GRANT PERMISSION
and for more information on assigning permissions to roles, and GRANT ROLE
for information on assigning roles to other roles.
A full-access login account |
Roles for externally authenticators users are mapped to the user’s group name. LDAP mapping is case sensitive.
Syntax
CREATE ROLE [ IF NOT EXISTS ] <role_name> ( WITH PASSWORD = '<role_password>' ifdef::dse69,dse68,cass50[] | WITH HASHED PASSWORD = '<hashed_role_password>' endif::dse69,dse68,cass50[] ) [ ( WITH | AND ) [ SUPERUSER = ( true | false ) ] [ ( WITH | AND ) LOGIN = ( true | false ) ] ifdef::cass50[] [ ( WITH | AND ) ACCESS TO DATACENTERS { 'dc_name' } | ( WITH | AND ) ACCESS TO ALL DATACENTERS | ( WITH | AND ) ACCESS FROM CIDRS { 'region1' } | ( WITH | AND ) ACCESS FROM ALL CIDRS'] endif::cass50[] [ [ WITH | AND ] OPTIONS = { <custom_options_map> } ] ] ;
Syntax legend
Syntax conventions | Description |
---|---|
UPPERCASE |
Literal keyword. |
Lowercase |
Not literal. |
|
Variable value. Replace with a user-defined value. |
|
Optional.
Square brackets ( |
|
Group.
Parentheses ( |
|
Or.
A vertical bar ( |
|
Repeatable.
An ellipsis ( |
|
Single quotation ( |
|
Map collection.
Braces ( |
Set, list, map, or tuple.
Angle brackets ( |
|
|
End CQL statement.
A semicolon ( |
|
Separate the command line options from the command arguments with two hyphens ( |
|
Search CQL only: Single quotation marks ( |
|
Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files. |
Parameters
Parameter | Description | Default | ||
---|---|---|---|---|
|
Identifier of the role. CQL forces all names to lowercase. If you need to preserve case or use special characters in the role name, enclose <role_name> in quotes.
|
|||
|
Password for the role. Enclose the password in single quotes. |
|||
|
Hashed password for the role. Enclose the hashed password in single quotes. |
|||
Optional.
Full read/write access to the database.
Only create roles with |
false |
|||
|
Optional.
Allows the role to log in.
Only create roles with |
false |
||
|
Optional. Map of custom options. Reserved for use with authentication plug-ins. Refer to the authenticator documentation for details. |
Roles for users authenticated by an external directory, such as DSE Unified Authenticator, must have login enabled with no password or hatched password. |
Create a role
Create a role for the cycling keyspace
administrator.
This role will later be assigned full permission to the cycling
keyspace.
CREATE ROLE IF NOT EXISTS cycling_admin
WITH PASSWORD = 'All4One2day!';
At this point the role has no permissions.
Create a login account
Create a role for a coach that has login capability.
CREATE ROLE IF NOT EXISTS coach
WITH LOGIN = true
AND PASSWORD = 'All4One2day!';
If preferred, create a login role using a hashed password:
CREATE ROLE IF NOT EXISTS coach
WITH LOGIN = true
AND HASHED PASSWORD = '$2a$10$8ht4.R2aar38wyXdJxHzj.Ww8xDL5wBYGt1SJ2l46N34MBjLSyD.e';
Internal authentication requires the role to have a password or hashed password.
The hashed password was generated with the DSE tool hash_password -p All4One2day!
.
Verify that a role can log in
The LOGIN
command allows the role to log in.
LOGIN coach;
Enter the password at the prompt.
Password: *******
The cqlsh prompt includes the role name:
+
coach@cqlsh>
Create a superuser role
Create a role for a superuser with full access to all keyspaces and tables:
CREATE ROLE IF NOT EXISTS sys_admin
WITH LOGIN = true
AND PASSWORD = 'changeme'
AND SUPERUSER = true;
Note that this role has been created with LOGIN
enabled as well, which is not required for a superuser role.