Authorizing remote procedure calls for CQL execution

DataStax Enterprise supports authentication and role-based access control for Remote Procedure Calls to the DSE database.

The syntax for remote calls for the specified procedure on the remote host is:

CALL Object.Method(parameter1, parameter2)

RPC permissions

RPC permissions are role-based to provide fine-grained control over which roles can execute which commands. The GRANT and REVOKE CQL commands provide and revoke access to objects and methods.

DataStax Enterprise supports this CQL syntax in cqlsh to grant RPC permissions:

GRANT <permission> ON ALL REMOTE CALLS TO <role>;
GRANT EXECUTE ON REMOTE OBJECT <object> TO <role>;
GRANT EXECUTE ON REMOTE METHOD <object.method> TO <role>;

DataStax Enterprise supports this CQL syntax in cqlsh to revoke RPC permissions:

REVOKE EXECUTE ON ALL REMOTE CALLS FROM <role>;
REVOKE EXECUTE ON REMOTE OBJECT <object> FROM <role>;
REVOKE EXECUTE ON REMOTE METHOD <object>.method FROM <role>;

where:

  • EXECUTE is the only permission that applies to RPC. For more details, see the Access Control Matrix.

  • <role> is the role to grant or revoke authorization.

Granting RPC permissions to DseClientTool

You can configure RPC permissions for external clients to run the dse client-tool command and to launch Spark:

GRANT EXECUTE ON REMOTE OBJECT DseClientTool TO <USER>;

Whether RPC permission is required for the DseClientTool object depends on the intended usage. Starting in DSE 5.1, the dse client-tool spark master-address command does not need any permission because it does not perform any operation. This command does not return the current Spark Master address. Spark may connect to any node in DSE.

However, the dse client-tool spark leader-address command, which returns the actual Spark Master address, executes a remote command and it needs the RPC permission.

If access is attempted without permission, you will see an error message similar to:

com.datastax.driver.core.exceptions.UnauthorizedException: User X has no EXECUTE permission on <rpc method DseClientTool.getSparkMasterAddress> or any of its parents

To resolve the problem, set RPC permissions for the DseClientTool object. For example:

GRANT EXECUTE ON REMOTE OBJECT DseClientTool TO ADMINROLE;

Managing the permissions of a large number of users can be considerably simplified through the reuse of a small number of high-level roles.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com