Controlling access to search indexes

Assign access privileges to roles for search index management.

Assign access privileges to roles for search index management.

Permissions and syntax

Setting access to search indexes using the following syntax:
  • Allow access to search index:
    GRANT permission_name 
    ON (ALL SEARCH INDICES | SEARCH KEYSPACE keyspace_name | SEARCH INDEX [keyspace_name.]table_name) 
    TO role_name;
  • Remove access to search index:
    REVOKE permission_name 
    ON (ALL SEARCH INDICES | SEARCH KEYSPACE keyspace_name | SEARCH INDEX [keyspace_name.]table_name)  
    FROM role_name;
Table 1. Search index permissions
permission_name CQL command Description
ALL PERMISSIONS (all commands below), GRANT, and REVOKE Perform any search index actions and authorize other roles to use any of the actions below.
SEARCH.ALTER ALTER SEARCH INDEX CONFIG and ALTER SEARCH INDEX SCHEMA Add, drop, and set schema fields and configuration elements in a search index.
SEARCH.COMMIT COMMIT SEARCH INDEX Move the search index from RAM buffer to another on-heap memory location that is suitable for searching.
SEARCH.CREATE CREATE SEARCH INDEX Define a new search index.
SEARCH.DROP DROP SEARCH INDEX Remove a search index.
SEARCH.REBUILD REBUILD SEARCH INDEX Rebuilds the index of the search index.
SEARCH.RELOAD RELOAD SEARCH INDEX Reloads the search index.

Requirements to GRANT/REVOKE Search Index permissions

Roles that manage Search Index permissions must have AUTHORIZE on the search index resource:
  • Manage permissions for all search indexes:
    GRANT AUTHORIZE FOR permission_name
    ON ALL SEARCH INDICES 
    TO role_name;
  • Limit permissions to manage permissions to individual tables:
    GRANT AUTHORIZE FOR permission_name
    ON SEARCH INDEX [keyspace_name.]table_name 
    TO role_name;
Note: Superuser roles have permission to perform any action; therefore do not require explicitly granting authorize for a permission on search indexes resource.

Procedure

  • Set access to all search indexes:
    GRANT ALL PERMISSIONS ON ALL SEARCH INDICES TO role_name;
  • Limit access to a specific table:
    GRANT ALL PERMISSIONS ON SEARCH INDEX [keyspace_name.]table_name) TO role_name;
  • Remove previously granted access to all search indexes:
    REVOKE ALL PERMISSIONS ON ALL SEARCH INDICES FROM role_name;
  • Remove previously granted access to a specific table:
    REVOKE ALL PERMISSIONS ON SEARCH INDEX [keyspace_name.]table_name) FROM role_name;
  • List all roles that have access to search indexes:
    LIST ALL PERMISSIONS ON (ALL SEARCH INDICES|[keyspace_name.]table_name);