Creating roles for LDAP mode
When Role Management mode is set to LDAP, the DataStax Enterprise Role Manager looks up the user in LDAP and returns a list of groups.
The group lookup is configured in the ldap_options
.
The following rules apply:
-
LDAP group name to role name matching is case sensitive and must exactly match the value in the group name attribute.
-
One or more of the user’s LDAP group names must match a role to allow CQL requests.
-
At least one role matching the user’s group must have LOGIN enabled.
-
Any user that is a member of an LDAP group that matches a role name is assigned a role.
-
Create a role for each LDAP group that has a distinct permission set.
DSE disables nested roles when LDAP mode is selected;
using GRANT <role_name> TO <role_name>
results in an error.
DSE supports looking up users whose name matches the user name filter for LDAP but authenticated with a different method such as internal or Kerberos.
Typically, a Kerberos full principal name matches the user’s email address.
To use Kerberos authentication with LDAP group lookup specify the user attribute that matches the Kerberos principal name in the LDAP user filter, for example |
All permissions granted to roles that reflect LDAP groups to which the user belongs – directly or indirectly – are inherited. The inherited permissions include login permission, scheme permissions, proxy execution permissions, and object permissions. |
Prerequisites
These instructions apply to environments that have the following settings:
-
Authenticator, authorizer, and role manager in the cassandra.yaml file:
authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator authorizer: com.datastax.bdp.cassandra.auth.DseAuthorizer role_manager: com.datastax.bdp.cassandra.auth.DseRoleManager
-
Authentication, role management, and authorization options in the dse.yaml file:
authentication_options: default_scheme: ldap other_schemes: - kerberos - internal ... authorization_options: enabled: true ... role_management_options: mode: ldap
Procedure
-
Create a role.
This examples shows a role for users in the analyst LDAP group:
CREATE ROLE analyst WITH LOGIN = true;
Superusers can grant and revoke permissions to any role but their own.
-
Bind the assignment to the LDAP authentication scheme:
GRANT EXECUTE on LDAP SCHEME to analyst;
Enclose the role name in single quotes to use uppercase, the name is case sensitive.
Role manager only assigns the role to users that authenticated with the LDAP scheme. Only required when scheme_permissions is set to true.
-
Allow SELECT in cycling keyspace:
GRANT SELECT on KEYSPACE cycling to analyst;
Any user in the analyst group can query all tables in the cycling keyspace.