CREATE ROLE

Creates a cluster-wide database role used for access control to database resources, such as keyspaces, tables, functions. Use roles to:

  • Create login accounts for CQL users.

  • Define a set of permissions that can be assigned to other roles and mapped to external users.

The best practices for using internal authentication are to create separate roles for various access permissions and login accounts. See GRANT PERMISSION and for more information on assigning permissions to roles, and GRANT ROLE for information on assigning roles to other roles.

A full-access login account cassandra (password cassandra) is enabled by default; create your own full-access role and drop the cassandra account, to close a critical security risk.

Roles for externally authenticators users are mapped to the user’s group name. LDAP mapping is case sensitive.

Syntax

CREATE ROLE [ IF NOT EXISTS ] <role_name>
  ( WITH PASSWORD = '<role_password>'
  ifdef::dse69,dse68,cass50[]
  | WITH HASHED PASSWORD = '<hashed_role_password>'
  endif::dse69,dse68,cass50[]
  )
  [ ( WITH | AND ) [ SUPERUSER = ( true | false ) ]
  [ ( WITH | AND ) LOGIN = ( true | false ) ]
  ifdef::cass50[]
  [ ( WITH | AND ) ACCESS TO DATACENTERS { 'dc_name' } | ( WITH | AND ) ACCESS TO ALL DATACENTERS
  | ( WITH | AND ) ACCESS FROM CIDRS { 'region1' } | ( WITH | AND ) ACCESS FROM ALL CIDRS']
  endif::cass50[]
  [ [ WITH | AND ] OPTIONS = { <custom_options_map> } ] ] ;
Syntax legend
Legend
Syntax conventions Description

UPPERCASE

Literal keyword.

Lowercase

Not literal.

< >

Variable value. Replace with a user-defined value.

[]

Optional. Square brackets ([]) surround optional command arguments. Do not type the square brackets.

( )

Group. Parentheses ( ( ) ) identify a group to choose from. Do not type the parentheses.

|

Or. A vertical bar (|) separates alternative elements. Type any one of the elements. Do not type the vertical bar.

...

Repeatable. An ellipsis ( ... ) indicates that you can repeat the syntax element as often as required.

'<Literal string>'

Single quotation (') marks must surround literal strings in CQL statements. Use single quotation marks to preserve upper case.

{ <key> : <value> }

Map collection. Braces ({ }) enclose map collections or key value pairs. A colon separates the key and the value.

<datatype2

Set, list, map, or tuple. Angle brackets ( < > ) enclose data types in a set, list, map, or tuple. Separate the data types with a comma.

<cql_statement>;

End CQL statement. A semicolon (;) terminates all CQL statements.

[--]

Separate the command line options from the command arguments with two hyphens ( -- ). This syntax is useful when arguments might be mistaken for command line options.

' <<schema\> ... </schema\>> '

Search CQL only: Single quotation marks (') surround an entire XML schema declaration.

@<xml_entity>='<xml_entity_type>'

Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files.

Parameters

Parameter Description Default

role_name

Identifier of the role. CQL forces all names to lowercase. If you need to preserve case or use special characters in the role name, enclose <role_name> in quotes.

To automatically map external users to roles with DSE Unified Authenticator, the role name must exactly match the LDAP group name, including case.

role_password

Password for the role. Enclose the password in single quotes.

hashed_password

Hashed password for the role. Enclose the hashed password in single quotes.

SUPERUSER

Optional. Full read/write access to the database. Only create roles with SUPERUSER that require full access to the keyspaces and tables. Use true to create a superuser role.

false

LOGIN

Optional. Allows the role to log in. Only create roles with LOGIN that require login access. Use true to create login accounts.

false

OPTIONS = { <option_map> }

Optional. Map of custom options. Reserved for use with authentication plug-ins. Refer to the authenticator documentation for details.

Roles for users authenticated by an external directory, such as DSE Unified Authenticator, must have login enabled with no password or hatched password.

Examples

Create a role

Create a role for the cycling keyspace administrator. This role will later be assigned full permission to the cycling keyspace.

CREATE ROLE IF NOT EXISTS cycling_admin
  WITH PASSWORD = 'All4One2day!';

At this point the role has no permissions.

Create a login account

Create a role for a coach that has login capability.

CREATE ROLE IF NOT EXISTS coach 
WITH LOGIN = true 
  AND PASSWORD = 'All4One2day!';

If preferred, create a login role using a hashed password:

  CREATE ROLE IF NOT EXISTS coach 
  WITH LOGIN = true
    AND HASHED PASSWORD = '$2a$10$8ht4.R2aar38wyXdJxHzj.Ww8xDL5wBYGt1SJ2l46N34MBjLSyD.e';

Internal authentication requires the role to have a password or hashed password. The hashed password was generated with the DSE tool hash_password -p All4One2day!.

Verify that a role can log in

The LOGIN command allows the role to log in.

LOGIN coach;

Enter the password at the prompt.

Password: *******

The cqlsh prompt includes the role name:

+

coach@cqlsh>

Create a superuser role

Create a role for a superuser with full access to all keyspaces and tables:

CREATE ROLE IF NOT EXISTS sys_admin 
WITH LOGIN = true
  AND PASSWORD = 'changeme' 
  AND SUPERUSER = true;

Note that this role has been created with LOGIN enabled as well, which is not required for a superuser role.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com