GRANT

Assigns privileges to roles on database resources, such as keyspaces, tables, and functions.

Permissions apply immediately, even to active client sessions.

Restriction: Enable authentication and authorization to control access to database resources. See Enabling DSE Unified Authentication.

Synopsis

GRANT <permission>
  ON <object>
  TO <role_name> ;
Syntax legend
Legend
Syntax conventions Description

UPPERCASE

Literal keyword.

Lowercase

Not literal.

< >

Variable value. Replace with a user-defined value.

[]

Optional. Square brackets ([]) surround optional command arguments. Do not type the square brackets.

( )

Group. Parentheses ( ( ) ) identify a group to choose from. Do not type the parentheses.

|

Or. A vertical bar (|) separates alternative elements. Type any one of the elements. Do not type the vertical bar.

...

Repeatable. An ellipsis ( ... ) indicates that you can repeat the syntax element as often as required.

'<Literal string>'

Single quotation (') marks must surround literal strings in CQL statements. Use single quotation marks to preserve upper case.

{ <key> : <value> }

Map collection. Braces ({ }) enclose map collections or key value pairs. A colon separates the key and the value.

<datatype2

Set, list, map, or tuple. Angle brackets ( < > ) enclose data types in a set, list, map, or tuple. Separate the data types with a comma.

<cql_statement>;

End CQL statement. A semicolon (;) terminates all CQL statements.

[--]

Separate the command line options from the command arguments with two hyphens ( -- ). This syntax is useful when arguments might be mistaken for command line options.

' <<schema\> ... </schema\>> '

Search CQL only: Single quotation marks (') surround an entire XML schema declaration.

@<xml_entity>='<xml_entity_type>'

Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files.

privilege

For DSE 5.1 only. Permissions granted on a resource to a role; grant a privilege at any level of the resource hierarchy. The full set of available privileges is:

  • ALL PERMISSIONS

  • ALTER

  • AUTHORIZE

  • CREATE

  • DESCRIBE

  • DROP

  • EXECUTE

  • MODIFY

  • PROXY.EXECUTE

  • PROXY.LOGIN

  • SEARCH.ALTER

  • SEARCH.COMMIT

  • SEARCH.CREATE

  • SEARCH.DROP

  • SEARCH.REBUILD

  • SEARCH.RELOAD

  • SELECT

<permission>

Type of access a role has on a database resource. Use ALL PERMISSIONS or a comma separated list of permissions.

Permissions are resource-specific as follows:

  • Data - ALL PERMISSIONS or ALTER, AUTHORIZE [FOR <permission_list>], CREATE, DESCRIBE, DROP, MODIFY (deprecated), SELECT, TRUNCATE, or UPDATE (allows INSERT, UPDATE, or DELETE)

  • Functions (and aggregates) - ALL PERMISSIONS or ALTER, AUTHORIZE [FOR <permission_list>], CREATE, and DROP

  • Search indexes - AUTHORIZE [FOR <permission_list>], SEARCH.ALTER, SEARCH.COMMIT, SEARCH.CREATE, SEARCH.DROP, SEARCH.REBUILD, and SEARCH.RELOAD

  • Roles - ALL PERMISSIONS or ALTER, AUTHORIZE [FOR <permission_list>], CREATE, DESCRIBE, DROP, PROXY.EXECUTE, and PROXY.LOGIN

  • JMX (MBeans) - ALL PERMISSIONS or AUTHORIZE [FOR <permission_list>], DESCRIBE, EXECUTE, MODIFY, and SELECT

  • Remote procedure calls (RPC) - ALL PERMISSIONS or AUTHORIZE [FOR <permission_list>], EXECUTE, MODIFY, and SELECT

  • Authentication schemes - ALL PERMISSIONS or AUTHORIZE [FOR <permission_list>] and EXECUTE

  • Spark workpools - ALL PERMISSIONS or AUTHORIZE [FOR <permission_list>], CREATE, and DESCRIBE

  • Spark submissions - ALL PERMISSIONS or AUTHORIZE [FOR <permission_list>], DESCRIBE, and MODIFY

To manage access control the role must have authorize permission on the resource for the type of permission. When AUTHORIZE is granted without specifying FOR <permission>, the role can manage all permissions on the object.

MODIFY is deprecated and replaced with TRUNCATE and UPDATE. Migration from MODIFY permission is recommended, but not strictly necessary. This should be tested thoroughly and implemented with care in cases where a role needs the new TRUNCATE permission.

<resource_name>

Apache Cassandra® database objects on which permissions are applied. Database resources have modelled hierarchy, the permission on a top level object gives the role the same permission on the objects ancestors. Identify the resource using the following keywords:

  • Data - ALL KEYSPACES > KEYSPACE <keyspace_name> >ALL TABLES IN KEYSPACE <keyspace_name> > TABLE <table_name> > '<filtering_data>' ROWS IN <table_name>

  • Function (including aggegrates) - ALL FUNCTIONS, ALL FUNCTIONS IN KEYSPACE <keyspace_name>, and FUNCTION <keyspace_name.function_name>(<argument_types>)

  • Search indexes - ALL SEARCH INDICES > SEARCH KEYSPACE <keyspace_name> > SEARCH INDICES [<keyspace_name>.]<table_name>

  • JMX MBeans - ALL MBEANS > MBEAN <mbean_name> and MBEANS <pattern>

  • Remote procedure calls (RPC) - ALL REMOTE CALLS > REMOTE METHOD <name> | REMOTE OBJECT <name>

  • Roles - ALL ROLES > ROLE <role_name>

  • Authentication schemes - ALL SCHEMES > LDAP | KERBEROS | INTERNAL

  • Analytic applications

    • Workpools - ANY WORKPOOL > WORKPOOL '<dc_name>.*' > WORKPOOL '<dc_name>.<workpool_name>'

    • Submissions - ANY SUBMISSION > ANY SUBMISSION IN WORKPOOL '<datacenter_name>.*' > '<datacenter_name>.<workpool_name>' > SUBMISSION <ID> endif::[]

Access control matrix tables

Resource type: Data
Privilege Resource Permissions

ALL PERMISSIONS

resource_name

All operations that are applicable to the resource and its ancestors, where resource name is listed below.

ALTER

ALL KEYSPACES

ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, RESTRICT ROW in any keyspace.

ALTER

KEYSPACE keyspace_name

ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, and RESTRICT ROW in specified keyspace.

ALTER

TABLE table_name

ALTER TABLE and RESTRICT ROW of specified table.

CREATE

ALL KEYSPACES

CREATE KEYSPACE, CREATE TABLE, CREATE FUNCTIONS, and CREATE TYPE in any keyspace.

CREATE

KEYSPACE keyspace_name

CREATE TABLE and CREATE TYPE in specified keyspace.

DROP

ALL KEYSPACES

DROP KEYSPACE, DROP TABLE, and DROP TYPE in any keyspace

DROP

KEYSPACE keyspace_name

DROP TABLE and DROP TYPE in specified keyspace

DROP

TABLE table_name

DROP TABLE specified.

MODIFY

filtering_data ROWS IN table_name

MODIFY on rows that exactly match the filtering_data in specified table.

MODIFY

ALL KEYSPACES

INSERT, UPDATE, DELETE, and TRUNCATE on any table.

MODIFY

KEYSPACE keyspace_name

INSERT, UPDATE, DELETE, and TRUNCATE on any table in specified keyspace.

MODIFY

TABLE table_name

INSERT, UPDATE, DELETE, and TRUNCATE on specified table.

SELECT

filtering_data ROWS IN table_name

SELECT on rows that exactly match the filtering_data in specified table.

SELECT

ALL KEYSPACES

SELECT on any table.

SELECT

KEYSPACE keyspace_name

SELECT on any table in specified keyspace.

SELECT

TABLE table_name

SELECT on specified table.

Resource type: Functions
Privilege Resource Permissions

ALTER

ALL FUNCTIONS

CREATE FUNCTION and CREATE AGGREGATE, also replace existing.

ALTER

ALL FUNCTIONS IN KEYSPACE keyspace_name

CREATE FUNCTION and CREATE AGGREGATE, also replace existing in specified keyspace

ALTER

FUNCTION function_name

CREATE FUNCTION and CREATE AGGREGATE, also replace existing.

CREATE

ALL FUNCTIONS

CREATE FUNCTION in any keyspace and CREATE AGGREGATE in any keyspace.

CREATE

ALL FUNCTIONS IN KEYSPACE keyspace_name

CREATE FUNCTION and CREATE AGGREGATE in specified keyspace.

DROP

ALL FUNCTIONS

DROP FUNCTION and DROP AGGREGATE in any keyspace.

DROP

ALL FUNCTIONS IN KEYSPACE keyspace_name

DROP FUNCTION and DROP AGGREGATE in specified keyspace.

DROP

FUNCTION function_name

DROP FUNCTION specified function.

EXECUTE

ALL FUNCTIONS

SELECT, INSERT, and UPDATE using any function, and use of any function in CREATE AGGREGATE.

EXECUTE

ALL FUNCTIONS IN KEYSPACE keyspace_name

SELECT, INSERT, and UPDATE using any function in specified keyspace and use of any function in a keyspace in CREATE AGGREGATE.

EXECUTE

FUNCTION function_name

SELECT, INSERT, and UPDATE using specified function, and use of the function in CREATE AGGREGATE.

Resource type: JMX
Privilege Resource Permissions

DESCRIBE

ALL MBEANS

Retrieve metadata about any mbean from the platform’s MBeanServer.

DESCRIBE

MBEAN mbean_name

Retrieve metadata about a named mbean from the platform’s MBeanServer.

DESCRIBE

MBEANS pattern

Retrieve metadata about any mbean matching a wildcard pattern from the platform’s MBeanServer.

EXECUTE

ALL MBEANS

Execute operations on any mbean.

EXECUTE

MBEAN mbean_name

Execute operations on named mbean.

EXECUTE

MBEANS pattern

Execute operations on any mbean matching a wildcard pattern.

MODIFY

ALL MBEANS

Call setter methods on any mbean.

MODIFY

MBEAN mbean_name

Call setter methods on named mbean.

MODIFY

MBEANS pattern

Call setter methods on any mbean matching a wildcard pattern.

SELECT

ALL MBEANS

Call getter methods on any mbean.

SELECT

MBEAN mbean_name

Call getter methods on named mbean.

SELECT

MBEANS pattern

Call getter methods on any mbean matching a wildcard pattern.

Resource type: Role management
Privilege Resource Permissions

ALTER

ALL ROLES

ALTER ROLE on any role.

ALTER

ROLE role_name

ALTER ROLE for specified role.

AUTHORIZE

resource_name

GRANT privilege and REVOKE privilege on the resource.

Note: Roles are resources. Requires that user has AUTHORIZE on the resource.

CREATE

ALL ROLES

CREATE ROLE.

DESCRIBE

ALL ROLES

LIST privilege on all roles or only roles granted to another specified role.

DROP

ALL ROLES

Drop all roles.

DROP

ROLE role_name

Drop the specified role.

PROXY.EXECUTE

ROLE role_name

After authenticating issue individual requests as a different user.

PROXY.LOGIN

ROLE role_name

After authenticating issue all requests as a different user.

role_name

resource_name

Grant role (as a set of permissions) to another role. Requires AUTHORIZE permission on the permission role and target role.

Resource type: Search index
Privilege Resource Permissions

ALL PERMISSIONS

ALL SEARCH INDICES

All search index privileges for all search indexes in the system.

ALL PERMISSIONS

SEARCH KEYSPACE keyspace_name

All search index privileges for all tables in specified keyspace.

ALL PERMISSIONS

SEARCH INDEX [keyspace_name.]table_name

All search index privileges for specified table.

SEARCH.ALTER

ALL SEARCH INDICES

ALTER SEARCH INDEX on all tables in all keyspaces.

SEARCH.ALTER

SEARCH KEYSPACE keyspace_name

ALTER SEARCH INDEX on all tables in specified keyspace.

SEARCH.ALTER

SEARCH INDEX [keyspace_name.]table_name

ALTER SEARCH INDEX on specified table.

SEARCH.COMMIT

ALL SEARCH INDICES

COMMIT SEARCH INDEX on all tables in all keyspaces.

SEARCH.COMMIT

SEARCH KEYSPACE keyspace_name

COMMIT SEARCH INDEX on all tables in specified keyspace.

SEARCH.COMMIT

SEARCH INDEX [keyspace_name.]table_name

COMMIT SEARCH INDEX on specified table.

SEARCH.CREATE

ALL SEARCH INDICES

CREATE SEARCH INDEX on all tables in all keyspaces.

SEARCH.CREATE

SEARCH KEYSPACE keyspace_name

CREATE SEARCH INDEX on all tables in specified keyspace.

SEARCH.CREATE

SEARCH INDEX [keyspace_name.]table_name

CREATE SEARCH INDEX on specified table.

SEARCH.DROP

ALL SEARCH INDICES

DROP SEARCH INDEX on all tables in all keyspaces.

SEARCH.DROP

SEARCH KEYSPACE keyspace_name

DROP SEARCH INDEX on all tables in specified keyspace.

SEARCH.DROP

SEARCH INDEX [keyspace_name.]table_name

DROP SEARCH INDEX on specified table.

SEARCH.REBUILD

ALL SEARCH INDICES

REBUILD SEARCH INDEX on any table in all keyspaces.

SEARCH.REBUILD

SEARCH KEYSPACE keyspace_name

REBUILD SEARCH INDEX on all tables in specified keyspace.

SEARCH.REBUILD

SEARCH INDEX [keyspace_name.]table_name

REBUILD SEARCH INDEX on specified table.

SEARCH.RELOAD

ALL SEARCH INDICES

RELOAD SEARCH INDEX on all tables in all keyspaces.

SEARCH.RELOAD

SEARCH KEYSPACE keyspace_name

RELOAD SEARCH INDEX on all tables in specified keyspace.

SEARCH.RELOAD

SEARCH INDEX [keyspace_name.]table_name

RELOAD SEARCH INDEX on specified table.

Resource type: Spark applications
Privilege Resource Permissions

CREATE

ANY WORKPOOL

Submit an application to the work pool in any datacenter.

CREATE

WORKPOOL datacenter_name

Submit an application to the work pool in a specific datacenter.

MODIFY

ANY SUBMISSION

Manage any applications across all datacenters.

MODIFY

ANY SUBMISSION IN WORKPOOL datacenter_name

Manage applications in a specified datacenter.

MODIFY

SUBMISSION application_ID IN WORKPOOL datacenter_name

Manage a single application in a specified datacenter.

Examples

In most environments, user authentication is handled by a plug-in that verifies users credentials against an external directory servicesuch as LDAP. For simplicity, the following examples use internal users.

Manage object permissions

Use AUTHORIZE to allow a role to manage access control of specific resources.

  • Allow role to grant any permission type, including AUTHORIZE, on all objects in the cycling keyspace:

    GRANT AUTHORIZE
    ON KEYSPACE cycling
    TO cycling_admin;

    This makes the role a superuser in the cycling keyspace because roles can modify their own permissions as well as roles that they inherit permissions from.

  • Allow the sam role to assign permission to run queries and change data in the cycling keyspace:

    GRANT AUTHORIZE FOR SELECT, TRUNCATE, UPDATE
    ON KEYSPACE cycling
    TO sam;

    The sam role cannot grant other permissions such as AUTHORIZE, AUTHORIZE FOR ..., ALTER, CREATE, DESCRIBE, and DROP to another role.

Access to data resources

Use the data resource permissions to manage access to keyspaces, tables, rows, and types.

Give the role cycling_admin all permissions to the cycling keyspace:

GRANT ALL PERMISSIONS
ON KEYSPACE cycling
TO cycling_admin;

Give the role coach permission to perform SELECT statements and modify data on all tables in the cycling keyspace:

GRANT SELECT, TRUNCATE, UPDATE
ON KEYSPACE cycling
TO coach;

Give the role coach permission to perform ALTER KEYSPACE statements on the cycling keyspace, and also ALTER TABLE, CREATE INDEX, and DROP INDEX statements on all tables in the cycling keyspace:

GRANT ALTER
ON KEYSPACE cycling
TO coach;

Give the role martin permission to perform SELECT statements on rows that contain 'Sprint' in the cycling.cyclist_category table:

GRANT SELECT
ON 'Sprint' ROWS IN cycling.cyclist_category
TO martin;

The filtering_data string is case-sensitive.

To view permissions see LIST PERMISSIONS.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com