RPCs over Cassandra native protocol

Steps to configure RPC permissions for external clients.

DataStax Enterprise supports RPCs over the Cassandra native protocol to leverage Cassandra authentication and role-based access abilities.

The syntax for remote calls for the specified procedure on the remote host is:
CALL Object.Method(parameter1, parameter2)

RPC permissions

RPC permissions are role-based to provide fine grained control over which roles can execute which commands. The GRANT and REVOKE CQL commands provide and revoke access to database objects.

DataStax Enterprise supports this CQL syntax in cqlsh to grant and revoke RPC permissions:
GRANT permission ON ALL REMOTE CALLS TO role;
GRANT permission ON REMOTE OBJECT object TO role;
GRANT permission ON REMOTE METHOD object.method TO role;
REVOKE permission ON ALL REMOTE CALLS FROM role;
REVOKE permission ON REMOTE OBJECT object FROM role;
REVOKE permission ON REMOTE METHOD object.method FROM role;
where:
  • permission is one of the database permissions: CREATE, ALTER, DROP, SELECT, MODIFY, AUTHORIZE, DESCRIBE, or EXECUTE.
  • role is the role to grant or revoke authorization to.

Granting RPC permissions to DseClientTool 

You must configure RPC permissions for external clients to run the dse client-tool command and to launch Spark:
cqlsh> GRANT EXECUTE ON REMOTE OBJECT DseClientTool TO USER;
Note: RPC permission for the DseClientTool object is required to run Spark because the DseClientTool object is called implicitly by the Spark launcher.
If access is attempted without permissions, you will see an error message similar to:
com.datastax.driver.core.exceptions.UnauthorizedException: User X has no EXECUTE permission on <rpc method DseClientTool.getSparkMasterAddress> or any of its parents
To resolve the problem, set RPC permissions for the DseClientTool object from an Analytics node in your cluster. For example:
cqlsh> GRANT EXECUTE ON REMOTE OBJECT DseClientTool TO ADMINROLE;

Managing the permissions of a large number of users can be considerably simplified through the reuse of a small number of high-level roles. See Database roles and Configuring DSE Role management.