GRANT

Defines resource authorization.

Assigns privileges to roles on database resources, such as keyspaces, tables, functions.

Important: Permissions apply immediately, even to active client sessions.

Synopsis

GRANT permission
  [ ON object ]
  TO role_name ;
Note: Enclose the role name in single quotation marks if it contains special characters or capital letters.
Note: To modify a base table that has a materialized view (MV) using an INSERT or UPDATE command if access permissions are enabled, a user must be granted MODIFY or ALL PERMISSIONS on the base table.
Table 1. Legend
Syntax conventions Description
UPPERCASE Literal keyword.
Lowercase Not literal.
Italics Variable value. Replace with a user-defined value.
[] Optional. Square brackets ( [] ) surround optional command arguments. Do not type the square brackets.
( ) Group. Parentheses ( ( ) ) identify a group to choose from. Do not type the parentheses.
| Or. A vertical bar ( | ) separates alternative elements. Type any one of the elements. Do not type the vertical bar.
... Repeatable. An ellipsis ( ... ) indicates that you can repeat the syntax element as often as required.
'Literal string' Single quotation ( ' ) marks must surround literal strings in CQL statements. Use single quotation marks to preserve upper case.
{ key : value } Map collection. Braces ( { } ) enclose map collections or key value pairs. A colon separates the key and the value.
<datatype1,datatype2> Set, list, map, or tuple. Angle brackets ( < > ) enclose data types in a set, list, map, or tuple. Separate the data types with a comma.
cql_statement; End CQL statement. A semicolon ( ; ) terminates all CQL statements.
[--] Separate the command line options from the command arguments with two hyphens ( -- ). This syntax is useful when arguments might be mistaken for command line options.
' <schema> ... </schema> ' Search CQL only: Single quotation marks ( ' ) surround an entire XML schema declaration.
@xml_entity='xml_entity_type' Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files.
privilege

Permissions granted on a resource to a role; grant a privilege at any level of the resource hierarchy. The full set of available privileges is:

  • ALL PERMISSIONS
  • ALTER
  • AUTHORIZE
  • CREATE
  • DESCRIBE
  • DROP
  • EXECUTE
  • MODIFY
  • PROXY.EXECUTE
  • PROXY.LOGIN
  • SEARCH.ALTER
  • SEARCH.COMMIT
  • SEARCH.CREATE
  • SEARCH.DROP
  • SEARCH.REBUILD
  • SEARCH.RELOAD
  • SELECT
resource_name

The DataStax Distribution of Apache Cassandra database objects to which permissions are applied. Database resources have modelled hierarchy. Grant permissions on a resource higher in the chain to automatically grant that same permission on all resources lower down.

Note: Not all privileges apply to every type of resource. For instance, EXECUTE is only relevant in the context of functions, MBeans, RPC, and authentication schemes. Attempting to grant privileges on a resource that the permission is not applicable results in an error.
Functions
  • ALL FUNCTIONS
  • ALL FUNCTIONS IN KEYSPACE keyspace_name
  • FUNCTION keyspace_name.function_name
Data
  • ALL KEYSPACES
  • TABLE table_name
  • Rows ('filtering_data' ROWS IN table_name)
  • Indexes (other than search indexes) belong to a table but permission cannot be directly assigned. ALTER permission on a table allows users to CREATE and DROP indexes.
  • KEYSPACE keyspace_name
  • Types belong to a keyspace but permissions cannot be directly assigned. To manage types set the keyspace permissions to CREATE, DROP, or ALTER which also gives the user the same permissions for tables.
Search index
  • ALL SEARCH INDICES
  • SEARCH KEYSPACE keyspace_name
  • SEARCH INDICES [keyspace_name.]table_name
JMX
  • ALL MBEANS
    • MBEAN mbean_name
    • MBEANS pattern
Roles
  • ALL ROLES
  • ROLE role_name
    Note: When using the internal Role Management mode nest roles using GRANT role_name TO role_name to give all the permissions of the first role in the statement to the second role. Use roles to create your own hierarchical permissions structures.
Remote procedure calls (RPC)
  • ALL OBJECTS
  • OBJECT object_name
  • METHOD
Authentication schemes
  • ALL SCHEMES
  • (LDAP | KERBEROS | INTERNAL) SCHEME
Spark applications
Submit applications:
  • ANY WORKPOOL
  • WORKPOOL datacenter_name
Manage applications:
  • ANY SUBMISSION
  • ANY SUBMISSION IN WORKPOOL datacenter_name
  • SUBMISSION application_ID IN WORKPOOL datacenter_name

Access control matrix

The following table shows the relationship between privileges and resources, and describes the resulting permissions.

Resource type Privilege Resource Permissions
Data ALL PERMISSIONS resource_name All operations that are applicable to the resource (listed below) and its ancestors, where resource name is listed below.
Data ALTER ALL KEYSPACES ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, RESTRICT ROW in any keyspace.
Data ALTER KEYSPACE keyspace_name ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, and RESTRICT ROW in specified keyspace.
Data ALTER TABLE table_name ALTER TABLE and RESTRICT ROW of specified table.
Data CREATE ALL KEYSPACES CREATE KEYSPACE, CREATE TABLE, CREATE FUNCTIONS, and CREATE TYPE in any keyspace.
Data CREATE KEYSPACE keyspace_name CREATE TABLE and CREATE TYPE in specified keyspace.
Data DROP ALL KEYSPACES DROP KEYSPACE, DROP TABLE, and DROP TYPE in any keyspace
Data DROP KEYSPACE keyspace_name DROP TABLE and DROP TYPE in specified keyspace
Data DROP TABLEtable_name DROP TABLE specified.
Data MODIFY 'filtering_data' ROWS IN table_name MODIFY on rows that exactly match the 'filtering_data' in specified table.
Data MODIFY ALL KEYSPACES INSERT, UPDATE, DELETE, and TRUNCATE on any table.
Data MODIFY KEYSPACE keyspace_name INSERT, UPDATE, DELETE, and TRUNCATE on any table in specified keyspace.
Data MODIFY TABLE table_name INSERT, UPDATE, DELETE, and TRUNCATE on specified table.
Data SELECT 'filtering_data' ROWS IN table_name SELECT on rows that exactly match the 'filtering_data' in specified table.
Data SELECT ALL KEYSPACES SELECT on any table.
Data SELECT KEYSPACE keyspace_name SELECT on any table in specified keyspace.
Data SELECT TABLE table_name SELECT on specified table.
Functions ALTER ALL FUNCTIONS CREATE FUNCTION and CREATE AGGREGATE, also replace existing.
Functions ALTER ALL FUNCTIONS IN KEYSPACE keyspace_name CREATE FUNCTION and CREATE AGGREGATE, also replace existing in specified keyspace
Functions ALTER FUNCTION function_name CREATE FUNCTION and CREATE AGGREGATE, also replace existing.
Functions CREATE ALL FUNCTIONS CREATE FUNCTION in any keyspace and CREATE AGGREGATE in any keyspace.
Functions CREATE ALL FUNCTIONS IN KEYSPACE keyspace_name CREATE FUNCTION and CREATE AGGREGATE in specified keyspace.
Functions DROP ALL FUNCTIONS DROP FUNCTION and DROP AGGREGATE in any keyspace.
Functions DROP ALL FUNCTIONS IN KEYSPACE keyspace_name DROP FUNCTION and DROP AGGREGATE in specified keyspace.
Functions DROP FUNCTION function_name DROP FUNCTION specified function.
Functions EXECUTE ALL FUNCTIONS SELECT, INSERT, and UPDATE using any function, and use of any function in CREATE AGGREGATE.
Functions EXECUTE ALL FUNCTIONS IN KEYSPACE keyspace_name SELECT, INSERT, and UPDATE using any function in specified keyspace and use of any function in a keyspace in CREATE AGGREGATE.
Functions EXECUTE FUNCTION function_name SELECT, INSERT, and UPDATE using specified function, and use of the function in CREATE AGGREGATE.
JMX DESCRIBE ALL MBEANS Retrieve metadata about any mbean from the platform's MBeanServer.
JMX DESCRIBE MBEAN mbean_name Retrieve metadata about a named mbean from the platform's MBeanServer.
JMX DESCRIBE MBEANS pattern Retrieve metadata about any mbean matching a wildcard patter from the platform's MBeanServer.
JMX EXECUTE ALL MBEANS Execute operations on any mbean.
JMX EXECUTE MBEAN mbean_name Execute operations on named mbean.
JMX EXECUTE MBEANS pattern Execute operations on any mbean matching a wildcard patter.
JMX MODIFY ALL MBEANS Call setter methods on any mbean.
JMX MODIFY MBEAN mbean_name Call setter methods on named mbean.
JMX MODIFY MBEANS pattern Call setter methods on any mbean matching a wildcard pattern.
JMX SELECT ALL MBEANS Call getter methods on any mbean.
JMX SELECT MBEAN mbean_name Call getter methods on named mbean.
JMX SELECT MBEANS pattern Call getter methods on any mbean matching a wildcard pattern.
Role Management ALTER ALL ROLES ALTER ROLE on any role
Role Management ALTER ROLE role_name ALTER ROLE for specified role.
Role Management AUTHORIZE resource_name GRANT privilege and REVOKE privilege on the resource.
Note: Roles are resources. Requires that user has AUTHORIZE on the resource.
Role Management CREATE ALL ROLES CREATE ROLE
Role Management DESCRIBE ALL ROLES LIST privilege on all roles or only roles granted to another specified role.
Role Management DROP ALL ROLES Drop all roles.
Role Management DROP ROLE role_name Drop the specified role.
Role Management PROXY.EXECUTE ROLE role_name After authenticating issue individual requests as a different user.
Role Management PROXY.LOGIN ROLE role_name After authenticating issue all requests as a different user.
Role Management role_name resource_name Grant role (as a set of permissions) to another role. Requires AUTHORIZE permission on the permission role and target role.
Search index ALL PERMISSIONS ALL SEARCH INDICES All search index privileges for all search indexes in the system.
Search index ALL PERMISSIONS SEARCH KEYSPACE keyspace_name All search index privileges for all tables in specified keyspace.
Search index ALL PERMISSIONS SEARCH INDEX [keyspace_name.]table_name All search index privileges for specified table.
Search index SEARCH.ALTER ALL SEARCH INDICES ALTER SEARCH INDEX on all tables in all keyspaces.
Search index SEARCH.ALTER SEARCH KEYSPACE keyspace_name ALTER SEARCH INDEX on all tables in specified keyspace.
Search index SEARCH.ALTER SEARCH INDEX [keyspace_name.]table_name ALTER SEARCH INDEX on specified table.
Search index SEARCH.COMMIT ALL SEARCH INDICES COMMIT SEARCH INDEX on all tables in all keyspaces.
Search index SEARCH.COMMIT SEARCH KEYSPACE keyspace_name COMMIT SEARCH INDEX on all tables in specified keyspace.
Search index SEARCH.COMMIT SEARCH INDEX [keyspace_name.]table_name COMMIT SEARCH INDEX on specified table.
Search index SEARCH.CREATE ALL SEARCH INDICES CREATE SEARCH INDEX on all tables in all keyspaces.
Search index SEARCH.CREATE SEARCH KEYSPACE keyspace_name CREATE SEARCH INDEX on all tables in specified keyspace.
Search index SEARCH.CREATE SEARCH INDEX [keyspace_name.]table_name CREATE SEARCH INDEX on specified table.
Search index SEARCH.DROP ALL SEARCH INDICES DROP SEARCH INDEX on all tables in all keyspaces.
Search index SEARCH.DROP SEARCH KEYSPACE keyspace_name DROP SEARCH INDEX on all tables in specified keyspace.
Search index SEARCH.DROP SEARCH INDEX [keyspace_name.]table_name DROP SEARCH INDEX on specified table.
Search index SEARCH.REBUILD ALL SEARCH INDICES REBUILD SEARCH INDEX on any table in all keyspaces.
Search index SEARCH.REBUILD SEARCH KEYSPACE keyspace_name REBUILD SEARCH INDEX on all tables in specified keyspace.
Search index SEARCH.REBUILD SEARCH INDEX [keyspace_name.]table_name REBUILD SEARCH INDEX on specified table.
Search index SEARCH.RELOAD ALL SEARCH INDICES RELOAD SEARCH INDEX on all tables in all keyspaces.
Search index SEARCH.RELOAD SEARCH KEYSPACE keyspace_name RELOAD SEARCH INDEX on all tables in specified keyspace.
Search index SEARCH.RELOAD SEARCH INDEX [keyspace_name.]table_name RELOAD SEARCH INDEX on specified table.
Spark applications CREATE ANY WORKPOOL Submit an application to the work pool in any datacenter.
Spark applications CREATE WORKPOOL datacenter_name Submit an application to the work pool in a specific datacenter.
Spark applications MODIFY ANY SUBMISSION Manage any applications across all datacenters.
Spark applications MODIFY ANY SUBMISSION IN WORKPOOL datacenter_name Manage applications in a specified datacenter.
Spark applications MODIFY SUBMISSION application_ID IN WORKPOOL datacenter_name Manage a single application in a specified datacenter.

Examples

In most environments, user authentication is handled by a plug-in that verifies users credentials against an external directory service such as LDAP. The CQL role is mapped to the external group by matching the role name to a group name. For simplicity, the following examples use internal users.

Give the role coach permission to perform SELECT statements on all tables in all keyspaces:
GRANT SELECT ON ALL KEYSPACES TO coach;
Give the role manager permission to perform INSERT, UPDATE, DELETE and TRUNCATE statements on all tables in the field keyspace:
GRANT MODIFY ON KEYSPACE field TO manager;
Give the role coach the permission to run ALTER KEYSPACE statements on the cycling keyspace, and also ALTER TABLE, CREATE INDEX, and DROP INDEX statements on all tables in the cycling keyspace:
GRANT ALTER ON KEYSPACE cycling TO coach;
Give the role coach permission to run all statements on the cycling.name table:
GRANT ALL PERMISSIONS ON cycling.name TO coach;
Create an administrator role with full access to the cycling keyspace:
GRANT ALL ON KEYSPACE cycling TO cycling_admin;
Give the role sponsor permission to perform SELECT statements on rows that contain 'SPONSORED' in the cycling.rank table:
GRANT SELECT ON 'SPONSORED' ROWS IN cycling.rank TO sponsor;
Note: The filtering_data string is case-sensitive.
To view permissions:
LIST ALL PERMISSIONS

To grant create permissions on a work pool in a specific datacenter:

GRANT CREATE ON WORKPOOL datacenter_name TO role_name;