Creating roles for Kerberos principals

Create roles to match Kerberos principal name.

When using Role Management mode internal, create a role that matches the user's principal name to allow them to log in and execute CQL requests.

Note: DSE supports Kerberos authentication with LDAP role management, when the principal name matches the email address attribute of the LDAP user. Configure the group lookup with the user_memberof_attribute option.

Procedure

  1. Create a role that matches the principal name, including the Kerberos REALM, with login enabled:
    CREATE ROLE "user_name@REALM" 
    WITH LOGIN = true;
    • user_name@REALM - The complete user principal name. Always enclose the role names that include uppercase or special characters in double quotes.
    • LOGIN = true - Allows the role to access the database.
    • (Optional) SUPERUSER = true - Gives full access to all database objects to the user. See Creating superuser accounts.
  2. Bind the assignment to an authentication scheme:
    GRANT EXECUTE 
    ON KERBEROS SCHEME 
    TO 'user_name@REALM';

    Enclose the role name in single quotes, the name is case-sensitive.

  3. To allow another role to manage the new role:
    GRANT AUTHORIZE FOR ALTER, DROP
                                ON new_role_name 
                                TO management_role;
    Tip: All superusers have authorize permissions on all roles. And the role that created the role is granted all permissions on the role.

What's next

Assign permissions to the role, see Authorizing access to database resources.