Configuring DSE Role management

Steps to configure the DSE Role Manager. Role-based access authenticates users based on the user association with LDAP groups or Cassandra roles.

The DSE Role Manager can work with Cassandra roles directly or can map external LDAP groups to Cassandra roles. When used with the DSE Authorizer, the DSE Role Manager allows role-based access control (RBAC)). RBAC simplifies permissions management by allowing related privileges to be bundled together by granting these privileges to roles, which can then be assigned to specific database users or other roles. Users are roles with the ability to login.
The location of the dse.yaml file depends on the type of installation:
Installer-Services /etc/dse/dse.yaml
Package installations /etc/dse/dse.yaml
Installer-No Services install_location/resources/dse/conf/dse.yaml
Tarball installations install_location/resources/dse/conf/dse.yaml
The location of the cassandra.yaml file depends on the type of installation:
Installer-Services /etc/dse/cassandra/cassandra.yaml
Package installations /etc/dse/cassandra/cassandra.yaml
Installer-No Services install_location/resources/cassandra/conf/cassandra.yaml
Tarball installations install_location/resources/cassandra/conf/cassandra.yaml

Procedure

On each node:

  1. Configure authentication to enable authentication.
  2. In the cassandra.yaml file, verify that role_manager is role_manager: com.datastax.bdp.cassandra.auth.DseRoleManager (the default value).
  3. In the dse.yaml file, set the role_management_options to define whether roles are managed internally by DataStax Enterprise or by an external LDAP server:
    role_management_options:
        mode: internal
    For mode, select one of these values:
    • internal - (Default) Granting and revoking of roles is managed internally with Cassandra database roles that are set with CQL using GRANT ROLE and REVOKE ROLE statements. Users must have a matching Cassandra role to login. To configure authorization, see Configuring authorization and object permissions.
    • ldap - Granting and revoking of roles is managed by an external LDAP server configured using the ldap_options. Role management is handled by the external LDAP directory server. The DSE Role Manager fetches role assignments for a user from an external LDAP directory server. It does this by fetching the LDAP groups for an LDAP user. The LDAP groups must have a matching Cassandra role to be used, it is not possible to grant roles to other roles in Cassandra or revoke roles from roles. Users do not have to have a matching Cassandra role in order to login, but must belong to a Cassandra role with login capability. To configure and use LDAP authentication, complete the steps in Configuring LDAP.