Creating roles for internal mode

DataStax Enterprise Role Manager internal mode matches the name of the authenticated user directly to a role. DSE supports internal role management for users that were authenticated from the following schemes:

  • Internal Scheme:

    • Role name: User name for authentication.

    • Role options: LOGIN = true and PASSWORD = '<some_password>'

    • Scheme permissions: GRANT EXECUTE on INTERNAL SCHEME to <role_name>;

      When both mode and authentication scheme is internal, the role that matches the user name supplied in the connection request is assigned.

  • Kerberos Scheme:

    • Role name: Exactly matches the Kerberos User Principal Name including REALM. Matching is case sensitive, enclose the role name in quotes. For example, 'jdoe@EXAMPLE.COM'.

    • Role options: LOGIN = true

    • Scheme permissions: GRANT EXECUTE on KERBEROS SCHEME to <role_name>;

  • LDAP Scheme:

    • Role name: Exactly match the user name provided in the connection string. The matching is case sensitive.

    • Role options: LOGIN = true

    • Scheme permissions: GRANT EXECUTE on LDAP SCHEME to <role_name>;

Prerequisites

These instructions apply to environments that have the following settings:

  • Authenticator, authorizer, and role manager in the cassandra.yaml file:

    authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator
authorizer: com.datastax.bdp.cassandra.auth.DseAuthorizer
role_manager: com.datastax.bdp.cassandra.auth.DseRoleManager

  • Authentication, role management, and authorization options in the dse.yaml file:

    authentication_options:
 default_scheme: ldap
 other_schemes:
   - kerberos
   - internal
...

authorization_options:
 enabled: true

...
role_management_options:
 mode: internal

Procedure

  • For internal users, create a role with login enabled and an internally stored password:

    CREATE ROLE jane WITH LOGIN = true AND PASSWORD = 'Abc123Jane';

    Use the ALTER ROLE command to change the password.

    Bind the assignment to an authentication scheme:

    GRANT EXECUTE on INTERNAL SCHEME to jane;

    Enclose the role name in single quotes, the name is case sensitive.

  • For Kerberos User Principal create a role that includes the REALM, user_name@REALM, with login enabled:

    CREATE ROLE 'jane@EXAMPLE.COM' WITH LOGIN = true;

    Wrap the role name in single quotes to preserve the case. You must set login to true for all Kerberos roles, do NOT set a password.

    Bind the assignment to an authentication scheme:

    GRANT EXECUTE on KERBEROS SCHEME to 'jane@EXAMPLE.COM';

    Enclose the role name in single quotes, the name is case sensitive.

  • For LDAP users create a role that matches their UID or samAccountName (user filter attribute):

    CREATE ROLE jane WITH LOGIN = true;

    You must set login to true for all LDAP roles, do NOT set a password.

    Bind the assignment to an authentication scheme:

    GRANT EXECUTE on LDAP SCHEME to jane;

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com