Configuring internal authorization

Steps for adding the CassandraAuthorizer.

CassandraAuthorizer is one of many possible IAuthorizer implementations. Its advantage is that it stores permissions in the system_auth.permissions table to support all authorization-related CQL statements.

Note: To configure authentication, see Internal authentication.


  • The cassandra.yaml file is located in the installation_location/conf directory.


  1. In the cassandra.yaml file, change the authorizer setting to CassandraAuthorizer.
    authorizer: CassandraAuthorizer
    You can use any authenticator except AllowAll.
  2. Increase the replication factor for the system_auth keyspace if not already configured.
  3. Fetching role permissions can be a costly operation. Role permissions can be cached to decrease the burden. Adjust the validity period for permission caching by setting the /en/ddac/doc/datastax_enterprise/config/configCassandra_yaml.html#configCassandra_yaml__permissions_validity_in_ms option in the cassandra.yaml file. The default value is 2000 milliseconds. The caching can be disabled by setting the option to 0. This setting is disabled automatically if the authorizer is set to AllowAllAuthorizer
    permissions_validity_in_ms: 2000
  4. A refresh interval for role caches can also be configured by setting the /en/ddac/doc/datastax_enterprise/config/configCassandra_yaml.html#configCassandra_yaml__permissions_update_interval_in_ms option in the cassandra.yaml file. The default value is the same value as the permissions_validity_in_ms setting. If permissions_validity_in_ms is non-zero, this setting must be set.
    permissions_update_interval_in_ms: 2000


CQL supports these authorization statements: