About roles

Role-based access control (RBAC) is only available after completing Enabling DSE Unified Authentication.

A role is a database resource to which privileges to access other database resources are assigned. A role is also an individual user for authentication purposes when using the internal authentication scheme. To execute CQL commands in DSE authorization enabled environments, a user must have at least one role with login privileges.

Understanding role assignment

The DSE Role Manager mode in dse.yaml effects how a role is assigned to an authenticated user:

  • internal: Uses a primary role for each individual user and is a 1-to-1 mapping. A role is assigned by matching the authenticated user name to a role name.

    Manage permissions by nesting roles. Use GRANT <role_name> TO <role_name> to give all the permissions of the first role to the second role.

  • ldap: Uses LDAP group membership and is a 1-to-many mapping. The DSE Role Manager looks up the user in LDAP and returns a list of groups. Users are assigned all the roles that match their group name. Roles for each individual user are not required and the users DSE role automatically changes as LDAP group membership changes.

    Manage permissions for each group. DSE disables nested roles when LDAP mode is selected; using GRANT <role_name> TO <role_name> results in an error.

Configure the assignment method by setting role_management_options and mode in the dse.yaml.

Use the CQL CREATE ROLE, ALTER ROLE, and DROP ROLE commands to manage roles.

Managing roles

Creating a role to manage access to database objects is a two step process, first you CREATE ROLE and then you GRANT permissions on a resource.

Use the CQL CREATE ROLE, ALTER ROLE, and DROP ROLE commands to manage roles using the following syntax:

(CREATE | ALTER | DROP ) <role_name>
 [WITH (LOGIN = true | SUPERUSER = true | password = 'password')];

Role properties:

  • SUPERUSER: (Default: false) Execute ALL CQL commands, equivalent to a root account.

    DataStax recommends giving superuser status only to a limited number of users and managing superuser authentication with the internal scheme. When using LDAP group management (role_management_options.mode: ldap), to prevent unintentional role assignment, set authentication_options.scheme_permissions: true` and bind the superuser role to the internal scheme (see Binding a role to an authentication scheme).

  • LOGIN: (Default: false) Required to execute CQL requests.

    When managing permissions using roles as an assignable permission set, the permission set role does not require login.

  • PASSWORD: (Default: null) Stores a bcrypt-salted hash password for the role in the system_auth keyspace; a role that has a password represents an individual user that can authenticate against the internal scheme (also requires LOGIN = true).

Use the LIST ROLES command to show all roles that you have describe permission on or all roles assigned to a role.

LIST ROLES [of <role_name>];

Only SUPERUSER roles or roles with CREATE, ALTER, and DROP permission can manage roles.

Permissions to create, modify, and drop roles

To manage roles the following permissions are required:

Role management permissions
Permission Database resource Description

ALTER

ALL ROLES | ROLE <role_name>

ALTER ROLE on all roles or specified role.

CREATE

ALL ROLES | ROLE <role_name>

CREATE ROLE with any name or only create a role with specific name, automatically is granted AUTHORIZE on the new role.

DESCRIBE

ALL ROLES | ROLE <role_name>

LIST privilege on all roles or only roles granted to another, specified role.

DROP

ALL ROLES | ROLE <role_name>

DROP ROLE on any role or permission to drop a specific role.

Permissions to manage access control

In order to manage permissions, the role with the GRANT or REVOKE command must have AUTHORIZE permission on both the target role and the resource.

To allow a role to manage permissions of a database object:

GRANT AUTHORIZE on <resource_name> to <management_role>;

To allow a role to manage permissions of a role:

GRANT AUTHORIZE on <target_role> to <management_role>;

To allow a role to create proxy roles:

GRANT AUTHORIZE on <proxy_role> to <management_role>;
GRANT AUTHORIZE on <application_role> to <management_role>

where AUTHORIZE gives GRANT and REVOKE permission to the role for managing permissions of other roles, resource_name is any database resources, see database resources.

Restriction: The following rules apply when managing roles and access to database objects:

  • Creating a new role requires CREATE permission on all roles. The role used to create a role automatically gets permissions to AUTHORIZE the role.

  • GRANT/REVOKE requires AUTHORIZE permission on the target role and database resource.

  • A role can only modify roles other than itself. Prevents users with ALTER permissions from making their own account a SUPERUSER or creating a role with a higher level of permission.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com