Configuring authorization and object permissions

Steps to configure and use the DSE Authorizer to manage object permissions against authentication schemes.

The DSE Authorizer provides custom authorization of DataStax Enterprise components by managing permissions against authentication schemes. The DSE Authorizer extends permissions to applications, client tools, and authentication schemes. Authorization supports transitional mode during configuration of a DataStax Enterprise cluster.
Note: Authentication is independent of authorization and object permissions.
The location of the dse.yaml file depends on the type of installation:
Installer-Services /etc/dse/dse.yaml
Package installations /etc/dse/dse.yaml
Installer-No Services install_location/resources/dse/conf/dse.yaml
Tarball installations install_location/resources/dse/conf/dse.yaml
The location of the cassandra.yaml file depends on the type of installation:
Installer-Services /etc/dse/cassandra/cassandra.yaml
Package installations /etc/dse/cassandra/cassandra.yaml
Installer-No Services install_location/resources/cassandra/conf/cassandra.yaml
Tarball installations install_location/resources/cassandra/conf/cassandra.yaml

Use the familiar relational database GRANT/REVOKE paradigm to grant or revoke permissions to access Cassandra data. A superuser grants initial permissions, and subsequently a role may or may not be given the permission to grant/revoke permissions.

The DSE Authorizer supports the following CQL authorization statements:

Accessing system resources 

Read access to these system tables is implicitly given to every authenticated user because the tables are used by most Cassandra tools:

  • system.schema_keyspace
  • system.schema_columns
  • system.schema_columnfamilies
  • system.local
  • system.peers

Procedure

On each node:

  1. In the cassandra.yaml file, verify that authorizer is com.datastax.bdp.cassandra.auth.DseAuthorizer. By default, the authorizer option is set to AllowAllAuthorizer.
    authorizer: com.datastax.bdp.cassandra.auth.DseAuthorizer
  2. In the dse.yaml file, set the authorization options: 
    authorization_options: 
    enabled: false
    transitional_mode: disabled
    1. Turn on authorization: 
      enabled:true
    2. During setup of authorization in a DataStax Enterprise cluster, authorization can operate in a transitional mode. Specify how the DSE Authorizer operates in a transitional mode.
      For transitional_mode, select one of these values:
      • disabled - Transitional mode is disabled.
      • normal - Permissions can be passed to resources, but are not enforced.
      • strict - Permissions can be passed to resources, and are enforced on authenticated users. Permissions are not enforced against anonymous users.
  3. Complete the steps to configure authentication schemes with the DSE Unified Authenticator.
  4. Optional: You can specify whether roles require permissions for specific authentication schemes. To use scheme permissions, specify scheme_permissions: true in dse.yaml.
  5. When scheme_permissions is true, you must grant privileges on the authentication schemes to roles. Use this CQL syntax: 
    cqlsh> GRANT EXECUTE ON ALL AUTHENTICATION SCHEMES TO role;
cqlsh> GRANT EXECUTE ON (INTERNAL|LDAP|KERBEROS) SCHEME TO role;
    The permission is granted only when the authentication scheme is enabled in the DseAuthenticator.
    • To allow a role to use all available authentication schemes:
      cqlsh> GRANT EXECUTE ON ALL AUTHENTICATION SCHEMES TO role;
    • To allow a role to use only the LDAP authentication scheme:
      cqlsh> GRANT EXECUTE ON LDAP SCHEME TO role;
    • To allow a role to use only the LDAP authentication scheme:
      cqlsh> GRANT EXECUTE ON LDAP SCHEME TO role;
    • To allow a role to use only the INTERNAL authentication scheme:
      cqlsh> GRANT EXECUTE ON INTERNAL SCHEME TO role;
    • To allow a role to use only the KERBEROS authentication scheme:
      cqlsh> GRANT EXECUTE ON KERBEROS SCHEME TO role;
    For example, create the allschemes_role@group1_auth role, give it a password and login = true, and then grant execute on all authentication schemes to allschemes_role@group1_auth:
    cqlsh> create role 'allschemes_role@group1_auth' with password = 'allschemes' and login = true;
cqlsh> grant execute on all authentication schemes to 'allschemes_role@group1_auth';
    View the results:
    cqlsh> list all of 'allschemes_role@group1_auth';
  6. To revoke authentication schemes from specific roles, use this syntax:
    • To revoke the availability of all authentication schemes from a role:
      cqlsh> REVOKE EXECUTE ON ALL AUTHENTICATION SCHEMES FROM role;
    • To revoke the availability of the specified authentication scheme from a role:
      cqlsh> GRANT REVOKE ON [INTERNAL|LDAP|KERBEROS] SCHEME FROM role;
      For example, to revoke a role from using the LDAP authentication scheme:
      cqlsh> GRANT REVOKE ON LDAP SCHEME FROM role;