RPCs over Cassandra native protocol
Steps to configure RPC permissions for external clients.
DataStax Enterprise supports RPCs over the Cassandra native protocol to leverage Cassandra authentication and role-based access abilities.
The syntax for remote calls for the specified procedure on the remote host
is:
CALL Object.Method(parameter1, parameter2)
RPC permissions
RPC permissions are role-based to provide fine grained control over which roles can execute which commands. The GRANT and REVOKE CQL commands provide and revoke access to database objects.
DataStax Enterprise supports this CQL syntax in cqlsh to grant and revoke RPC permissions:GRANT permission ON ALL REMOTE CALLS TO role;
GRANT permission ON REMOTE OBJECT object TO role;
GRANT permission ON REMOTE METHOD object.method TO role;
REVOKE permission ON ALL REMOTE CALLS FROM role;
REVOKE permission ON REMOTE OBJECT object FROM role;
REVOKE permission ON REMOTE METHOD object.method FROM role;
where:- permission is one of the database permissions: CREATE, ALTER, DROP, SELECT, MODIFY, AUTHORIZE, DESCRIBE, or EXECUTE.
- role is the role to grant or revoke authorization to.
Granting RPC permissions to DseClientTool
You must configure RPC permissions for external clients to run the dse client-tool command and to launch
Spark:
cqlsh> GRANT EXECUTE ON REMOTE OBJECT DseClientTool TO USER;
Note: RPC permission for the
If access is attempted without permissions, you will see an error message
similar
to:DseClientTool
object is required to run
Spark because the DseClientTool
object is called implicitly by the Spark
launcher.com.datastax.driver.core.exceptions.UnauthorizedException: User X has no EXECUTE permission on <rpc method DseClientTool.getSparkMasterAddress> or any of its parents
To
resolve the problem, set RPC permissions for the DseClientTool object from an Analytics node
in your cluster. For
example:cqlsh> GRANT EXECUTE ON REMOTE OBJECT DseClientTool TO ADMINROLE;
Managing the permissions of a large number of users can be considerably simplified through the reuse of a small number of high-level roles. See Database roles and Configuring DSE Role management.