GRANT
Defines resource authorization.
Assigns privileges to roles on database resources, such as keyspaces, tables, functions.
Synopsis
GRANT permission [ ON object ] TO role_name ;
INSERT
or UPDATE
command if access permissions are enabled, a user must
be granted MODIFY
or ALL PERMISSIONS
on the base
table.Syntax conventions | Description |
---|---|
UPPERCASE | Literal keyword. |
Lowercase | Not literal. |
Italics |
Variable value. Replace with a user-defined value. |
[] |
Optional. Square brackets ( [] ) surround
optional command arguments. Do not type the square brackets. |
( ) |
Group. Parentheses ( ( ) ) identify a group to
choose from. Do not type the parentheses. |
| |
Or. A vertical bar ( | ) separates alternative
elements. Type any one of the elements. Do not type the vertical
bar. |
... |
Repeatable. An ellipsis ( ... ) indicates that
you can repeat the syntax element as often as required. |
'Literal string' |
Single quotation ( ' ) marks must surround
literal strings in CQL statements. Use single quotation marks to
preserve upper case. |
{ key : value
} |
Map collection. Braces ( { } ) enclose map
collections or key value pairs. A colon separates the key and the
value. |
<datatype1,datatype2> |
Set, list, map, or tuple. Angle brackets ( <
> ) enclose data types in a set, list, map, or tuple.
Separate the data types with a comma. |
cql_statement; |
End CQL statement. A semicolon ( ; ) terminates
all CQL statements. |
[--] |
Separate the command line options from the command arguments with
two hyphens ( -- ). This syntax is useful when
arguments might be mistaken for command line options. |
' <schema> ... </schema>
' |
Search CQL only: Single quotation marks ( ' )
surround an entire XML schema declaration. |
@xml_entity='xml_entity_type' |
Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files. |
- privilege
-
Permissions granted on a resource to a role; grant a privilege at any level of the resource hierarchy. The full set of available privileges is:
- ALL PERMISSIONS
- ALTER
- AUTHORIZE
- CREATE
- DESCRIBE
- DROP
- EXECUTE
- MODIFY
- PROXY.EXECUTE
- PROXY.LOGIN
- SEARCH.ALTER
- SEARCH.COMMIT
- SEARCH.CREATE
- SEARCH.DROP
- SEARCH.REBUILD
- SEARCH.RELOAD
- SELECT
- resource_name
-
The DataStax Distribution of Apache Cassandra™ database objects to which permissions are applied. Database resources have modelled hierarchy. Grant permissions on a resource higher in the chain to automatically grant that same permission on all resources lower down.
Note: Not all privileges apply to every type of resource. For instance,EXECUTE
is only relevant in the context of functions, MBeans, RPC, and authentication schemes. Attempting to grant privileges on a resource that the permission is not applicable results in an error.
- Functions
-
- ALL FUNCTIONS
- ALL FUNCTIONS IN KEYSPACE keyspace_name
- FUNCTION keyspace_name.function_name
- Data
-
- ALL KEYSPACES
- TABLE table_name
- Rows ('filtering_data' ROWS IN table_name)
- Indexes (other than search indexes) belong to a table but permission cannot be directly assigned. ALTER permission on a table allows users to CREATE and DROP indexes.
- KEYSPACE keyspace_name
- Types belong to a keyspace but permissions cannot be directly assigned. To manage types set the keyspace permissions to CREATE, DROP, or ALTER which also gives the user the same permissions for tables.
- Search index
-
- ALL SEARCH INDICES
- SEARCH KEYSPACE keyspace_name
- SEARCH INDICES [keyspace_name.]table_name
- JMX
-
- ALL MBEANS
- MBEAN mbean_name
- MBEANS pattern
- ALL MBEANS
- Roles
-
- ALL ROLES
- ROLE role_nameNote: When using the
internal
Role Management mode nest roles usingGRANT role_name TO role_name
to give all the permissions of the first role in the statement to the second role. Use roles to create your own hierarchical permissions structures.
- Remote procedure calls (RPC)
-
- ALL OBJECTS
- OBJECT object_name
- METHOD
- Authentication schemes
-
- ALL SCHEMES
- (LDAP | KERBEROS | INTERNAL) SCHEME
- Spark applications
-
Submit applications:
- ANY WORKPOOL
- WORKPOOL datacenter_name
Manage applications:- ANY SUBMISSION
- ANY SUBMISSION IN WORKPOOL datacenter_name
- SUBMISSION application_ID IN WORKPOOL datacenter_name
Access control matrix
The following table shows the relationship between privileges and resources, and describes the resulting permissions.
Resource type | Privilege | Resource | Permissions |
---|---|---|---|
Data | ALL PERMISSIONS | resource_name | All operations that are applicable to the resource (listed below) and its ancestors, where resource name is listed below. |
Data | ALTER | ALL KEYSPACES | ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, RESTRICT ROW in any keyspace. |
Data | ALTER | KEYSPACE keyspace_name | ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, and RESTRICT ROW in specified keyspace. |
Data | ALTER | TABLE table_name | ALTER TABLE and RESTRICT ROW of specified table. |
Data | CREATE | ALL KEYSPACES | CREATE KEYSPACE, CREATE TABLE, CREATE FUNCTIONS, and CREATE TYPE in any keyspace. |
Data | CREATE | KEYSPACE keyspace_name | CREATE TABLE and CREATE TYPE in specified keyspace. |
Data | DROP | ALL KEYSPACES | DROP KEYSPACE, DROP TABLE, and DROP TYPE in any keyspace |
Data | DROP | KEYSPACE keyspace_name | DROP TABLE and DROP TYPE in specified keyspace |
Data | DROP | TABLEtable_name | DROP TABLE specified. |
Data | MODIFY | 'filtering_data' ROWS IN table_name | MODIFY on rows that exactly match the 'filtering_data' in specified table. |
Data | MODIFY | ALL KEYSPACES | INSERT, UPDATE, DELETE, and TRUNCATE on any table. |
Data | MODIFY | KEYSPACE keyspace_name | INSERT, UPDATE, DELETE, and TRUNCATE on any table in specified keyspace. |
Data | MODIFY | TABLE table_name | INSERT, UPDATE, DELETE, and TRUNCATE on specified table. |
Data | SELECT | 'filtering_data' ROWS IN table_name | SELECT on rows that exactly match the 'filtering_data' in specified table. |
Data | SELECT | ALL KEYSPACES | SELECT on any table. |
Data | SELECT | KEYSPACE keyspace_name | SELECT on any table in specified keyspace. |
Data | SELECT | TABLE table_name | SELECT on specified table. |
Functions | ALTER | ALL FUNCTIONS | CREATE FUNCTION and CREATE AGGREGATE, also replace existing. |
Functions | ALTER | ALL FUNCTIONS IN KEYSPACE keyspace_name | CREATE FUNCTION and CREATE AGGREGATE, also replace existing in specified keyspace |
Functions | ALTER | FUNCTION function_name | CREATE FUNCTION and CREATE AGGREGATE, also replace existing. |
Functions | CREATE | ALL FUNCTIONS | CREATE FUNCTION in any keyspace and CREATE AGGREGATE in any keyspace. |
Functions | CREATE | ALL FUNCTIONS IN KEYSPACE keyspace_name | CREATE FUNCTION and CREATE AGGREGATE in specified keyspace. |
Functions | DROP | ALL FUNCTIONS | DROP FUNCTION and DROP AGGREGATE in any keyspace. |
Functions | DROP | ALL FUNCTIONS IN KEYSPACE keyspace_name | DROP FUNCTION and DROP AGGREGATE in specified keyspace. |
Functions | DROP | FUNCTION function_name | DROP FUNCTION specified function. |
Functions | EXECUTE | ALL FUNCTIONS | SELECT, INSERT, and UPDATE using any function, and use of any function in CREATE AGGREGATE. |
Functions | EXECUTE | ALL FUNCTIONS IN KEYSPACE keyspace_name | SELECT, INSERT, and UPDATE using any function in specified keyspace and use of any function in a keyspace in CREATE AGGREGATE. |
Functions | EXECUTE | FUNCTION function_name | SELECT, INSERT, and UPDATE using specified function, and use of the function in CREATE AGGREGATE. |
JMX | DESCRIBE | ALL MBEANS | Retrieve metadata about any mbean from the platform's MBeanServer. |
JMX | DESCRIBE | MBEAN mbean_name | Retrieve metadata about a named mbean from the platform's MBeanServer. |
JMX | DESCRIBE | MBEANS pattern | Retrieve metadata about any mbean matching a wildcard patter from the platform's MBeanServer. |
JMX | EXECUTE | ALL MBEANS | Execute operations on any mbean. |
JMX | EXECUTE | MBEAN mbean_name | Execute operations on named mbean. |
JMX | EXECUTE | MBEANS pattern | Execute operations on any mbean matching a wildcard patter. |
JMX | MODIFY | ALL MBEANS | Call setter methods on any mbean. |
JMX | MODIFY | MBEAN mbean_name | Call setter methods on named mbean. |
JMX | MODIFY | MBEANS pattern | Call setter methods on any mbean matching a wildcard pattern. |
JMX | SELECT | ALL MBEANS | Call getter methods on any mbean. |
JMX | SELECT | MBEAN mbean_name | Call getter methods on named mbean. |
JMX | SELECT | MBEANS pattern | Call getter methods on any mbean matching a wildcard pattern. |
Role Management | ALTER | ALL ROLES | ALTER ROLE on any role |
Role Management | ALTER | ROLE role_name | ALTER ROLE for specified role. |
Role Management | AUTHORIZE | resource_name | GRANT privilege and REVOKE privilege on the resource. Note: Roles are
resources. Requires that user has AUTHORIZE on the resource. |
Role Management | CREATE | ALL ROLES | CREATE ROLE |
Role Management | DESCRIBE | ALL ROLES | LIST privilege on all roles or only roles granted to another specified role. |
Role Management | DROP | ALL ROLES | Drop all roles. |
Role Management | DROP | ROLE role_name | Drop the specified role. |
Role Management | PROXY.EXECUTE | ROLE role_name | After authenticating issue individual requests as a different user. |
Role Management | PROXY.LOGIN | ROLE role_name | After authenticating issue all requests as a different user. |
Role Management | role_name | resource_name | Grant role (as a set of permissions) to another role. Requires AUTHORIZE permission on the permission role and target role. |
Search index | ALL PERMISSIONS | ALL SEARCH INDICES | All search index privileges for all search indexes in the system. |
Search index | ALL PERMISSIONS | SEARCH KEYSPACE keyspace_name | All search index privileges for all tables in specified keyspace. |
Search index | ALL PERMISSIONS | SEARCH INDEX [keyspace_name.]table_name | All search index privileges for specified table. |
Search index | SEARCH.ALTER | ALL SEARCH INDICES | ALTER SEARCH INDEX on all tables in all keyspaces. |
Search index | SEARCH.ALTER | SEARCH KEYSPACE keyspace_name | ALTER SEARCH INDEX on all tables in specified keyspace. |
Search index | SEARCH.ALTER | SEARCH INDEX [keyspace_name.]table_name | ALTER SEARCH INDEX on specified table. |
Search index | SEARCH.COMMIT | ALL SEARCH INDICES | COMMIT SEARCH INDEX on all tables in all keyspaces. |
Search index | SEARCH.COMMIT | SEARCH KEYSPACE keyspace_name | COMMIT SEARCH INDEX on all tables in specified keyspace. |
Search index | SEARCH.COMMIT | SEARCH INDEX [keyspace_name.]table_name | COMMIT SEARCH INDEX on specified table. |
Search index | SEARCH.CREATE | ALL SEARCH INDICES | CREATE SEARCH INDEX on all tables in all keyspaces. |
Search index | SEARCH.CREATE | SEARCH KEYSPACE keyspace_name | CREATE SEARCH INDEX on all tables in specified keyspace. |
Search index | SEARCH.CREATE | SEARCH INDEX [keyspace_name.]table_name | CREATE SEARCH INDEX on specified table. |
Search index | SEARCH.DROP | ALL SEARCH INDICES | DROP SEARCH INDEX on all tables in all keyspaces. |
Search index | SEARCH.DROP | SEARCH KEYSPACE keyspace_name | DROP SEARCH INDEX on all tables in specified keyspace. |
Search index | SEARCH.DROP | SEARCH INDEX [keyspace_name.]table_name | DROP SEARCH INDEX on specified table. |
Search index | SEARCH.REBUILD | ALL SEARCH INDICES | REBUILD SEARCH INDEX on any table in all keyspaces. |
Search index | SEARCH.REBUILD | SEARCH KEYSPACE keyspace_name | REBUILD SEARCH INDEX on all tables in specified keyspace. |
Search index | SEARCH.REBUILD | SEARCH INDEX [keyspace_name.]table_name | REBUILD SEARCH INDEX on specified table. |
Search index | SEARCH.RELOAD | ALL SEARCH INDICES | RELOAD SEARCH INDEX on all tables in all keyspaces. |
Search index | SEARCH.RELOAD | SEARCH KEYSPACE keyspace_name | RELOAD SEARCH INDEX on all tables in specified keyspace. |
Search index | SEARCH.RELOAD | SEARCH INDEX [keyspace_name.]table_name | RELOAD SEARCH INDEX on specified table. |
Spark applications | CREATE | ANY WORKPOOL | Submit an application to the work pool in any datacenter. |
Spark applications | CREATE | WORKPOOL datacenter_name | Submit an application to the work pool in a specific datacenter. |
Spark applications | MODIFY | ANY SUBMISSION | Manage any applications across all datacenters. |
Spark applications | MODIFY | ANY SUBMISSION IN WORKPOOL datacenter_name | Manage applications in a specified datacenter. |
Spark applications | MODIFY | SUBMISSION application_ID IN WORKPOOL datacenter_name | Manage a single application in a specified datacenter. |
Examples
In most environments, user authentication is handled by a plug-in that verifies users credentials against an external directory service such as LDAP. The CQL role is mapped to the external group by matching the role name to a group name. For simplicity, the following examples use internal users.
SELECT
statements on all tables in all
keyspaces:GRANT SELECT ON ALL KEYSPACES TO coach;
INSERT
,
UPDATE
, DELETE
and TRUNCATE
statements
on all tables in the field
keyspace:GRANT MODIFY ON KEYSPACE field TO manager;
ALTER
KEYSPACE
statements on the cycling keyspace, and also ALTER
TABLE
, CREATE INDEX
, and DROP INDEX
statements
on all tables in the cycling
keyspace:GRANT ALTER ON KEYSPACE cycling TO coach;
GRANT ALL PERMISSIONS ON cycling.name TO coach;
GRANT ALL ON KEYSPACE cycling TO cycling_admin;
SELECT
statements on rows that contain 'SPONSORED' in the cycling.rank
table:GRANT SELECT ON 'SPONSORED' ROWS IN cycling.rank TO sponsor;
LIST ALL PERMISSIONS
To grant create permissions on a work pool in a specific datacenter:
GRANT CREATE ON WORKPOOL datacenter_name TO role_name;