Controlling access to search indexes
Assign access privileges to roles for search index management.
Permissions and syntax
Setting access to search indexes using the following syntax:
-
Allow access to search index:
GRANT <permission_name> ON (ALL SEARCH INDICES | SEARCH KEYSPACE <keyspace_name> | SEARCH INDEX [<keyspace_name>.]<table_name>) TO <role_name>;
-
Remove access to search index:
REVOKE <permission_name> ON (ALL SEARCH INDICES | SEARCH KEYSPACE <keyspace_name> | SEARCH INDEX [<keyspace_name>.]<table_name>) FROM <role_name>;
permission_name | CQL command | Description |
---|---|---|
ALL PERMISSIONS |
Perform any search index actions and authorize other roles to use any of the actions below. |
|
SEARCH.ALTER |
Add, drop, and set schema fields and configuration elements in a search index. |
|
SEARCH.COMMIT |
Move the search index from RAM buffer to another on-heap memory location that is suitable for searching. |
|
SEARCH.CREATE |
Define a new search index. |
|
SEARCH.DROP |
Remove a search index. |
|
SEARCH.REBUILD |
Rebuilds the index of the search index. |
|
SEARCH.RELOAD |
Reloads the search index. |
Requirements to GRANT/REVOKE Search Index permissions
Roles that manage Search Index permissions must have AUTHORIZE on the search index resource:
-
Manage permissions for all search indexes:
GRANT AUTHORIZE FOR <permission_name> ON ALL SEARCH INDICES TO <role_name>;
-
Limit permissions to manage permissions to individual tables:
GRANT AUTHORIZE FOR <permission_name> ON SEARCH INDEX [<keyspace_name>.]<table_name> TO <role_name>;
Superuser roles have permission to perform any action; therefore do not require explicitly granting authorize for a permission on search indexes resource. |
Procedure
-
Set access to all search indexes:
GRANT ALL PERMISSIONS ON ALL SEARCH INDICES TO role_name;
-
Limit access to a specific table:
GRANT ALL PERMISSIONS ON SEARCH INDEX [<keyspace_name>.]<table_name>) TO <role_name>;
-
Remove previously granted access to all search indexes:
REVOKE ALL PERMISSIONS ON ALL SEARCH INDICES FROM <role_name>;
-
Remove previously granted access to a specific table:
REVOKE ALL PERMISSIONS ON SEARCH INDEX [keyspace_name.]<table_name>) FROM <role_name>;
-
List all roles that have access to search indexes:
LIST ALL PERMISSIONS ON (ALL SEARCH INDICES|[<keyspace_name>.]<table_name>);