Creating roles for internal mode

Create roles that match the user name.

DataStax Enterprise Role Manager internal mode matches the name of the authenticated user directly to a role. DSE supports internal role management for users that were authenticated from the following schemes:

  • Internal Scheme:
    • Role name: User name for authentication.
    • Role options: LOGIN = true and PASSWORD = 'some_password'
    • Scheme permissions: GRANT EXECUTE on INTERNAL SCHEME to role_name;
    Note: When both mode and authentication scheme is internal, the role that matches the user name supplied in the connection request is assigned.
  • Kerberos Scheme:
    • Role name: Exactly matches the Kerberos User Principal Name including REALM. Matching is case sensitive, enclose the role name in quotes. For example, 'jdoe@EXAMPLE.COM'.
    • Role options: LOGIN = true
    • Scheme permissions: GRANT EXECUTE on KERBEROS SCHEME to role_name;
  • LDAP Scheme:
    • Role name: Exactly match the user name provided in the connection string. The matching is case sensitive.
    • Role options: LOGIN = true
    • Scheme permissions: GRANT EXECUTE on LDAP SCHEME to role_name;

Prerequisites

These instructions apply to environments that have the following settings:

  • Authenticator, authorizer, and role manager in the cassandra.yaml file:
    authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator
    authorizer: com.datastax.bdp.cassandra.auth.DseAuthorizer
    role_manager: com.datastax.bdp.cassandra.auth.DseRoleManager
  • Authentication, role management, and authorization options in the dse.yaml file:
    authentication_options:
     default_scheme: ldap
     other_schemes:
       - kerberos
       - internal
    ...
    
    authorization_options:
     enabled: true
    
    ...
    role_management_options:
     mode: internal

Procedure

  • For internal users, create a role with login enabled and an internally stored password:
    CREATE ROLE jane WITH LOGIN = true AND PASSWORD = 'Abc123Jane';

    Use the ALTER ROLE command to change the password.

    Bind the assignment to an authentication scheme:

    GRANT EXECUTE on INTERNAL SCHEME to jane;

    Enclose the role name in single quotes, the name is case sensitive.

  • For Kerberos User Principal create a role that includes the REALM, user_name@REALM, with login enabled:
    CREATE ROLE 'jane@EXAMPLE.COM' WITH LOGIN = true;

    Wrap the role name in single quotes to preserve the case. You must set login to true for all Kerberos roles, do NOT set a password.

    Bind the assignment to an authentication scheme:

    GRANT EXECUTE on KERBEROS SCHEME to 'jane@EXAMPLE.COM';

    Enclose the role name in single quotes, the name is case sensitive.

  • For LDAP users create a role that matches their UID or samAccountName (user filter attribute):
    CREATE ROLE jane WITH LOGIN = true;

    You must set login to true for all LDAP roles, do NOT set a password.

    Bind the assignment to an authentication scheme:

    GRANT EXECUTE on LDAP SCHEME to jane;