GRANT
Allow access to database resources.
Assigns privileges to roles on database resources, such as keyspaces, tables, and functions.
INSERT
or UPDATE
command if access permissions are enabled, a user must
be granted MODIFY
or ALL PERMISSIONS
on the base
table.Synopsis
GRANT permission ON object TO role_name ;
Syntax conventions | Description |
---|---|
UPPERCASE | Literal keyword. |
Lowercase | Not literal. |
Italics |
Variable value. Replace with a user-defined value. |
[] |
Optional. Square brackets ( [] ) surround
optional command arguments. Do not type the square brackets. |
( ) |
Group. Parentheses ( ( ) ) identify a group to
choose from. Do not type the parentheses. |
| |
Or. A vertical bar ( | ) separates alternative
elements. Type any one of the elements. Do not type the vertical
bar. |
... |
Repeatable. An ellipsis ( ... ) indicates that
you can repeat the syntax element as often as required. |
'Literal string' |
Single quotation ( ' ) marks must surround
literal strings in CQL statements. Use single quotation marks to
preserve upper case. |
{ key : value
} |
Map collection. Braces ( { } ) enclose map
collections or key value pairs. A colon separates the key and the
value. |
<datatype1,datatype2> |
Set, list, map, or tuple. Angle brackets ( <
> ) enclose data types in a set, list, map, or tuple.
Separate the data types with a comma. |
cql_statement; |
End CQL statement. A semicolon ( ; ) terminates
all CQL statements. |
[--] |
Separate the command line options from the command arguments with
two hyphens ( -- ). This syntax is useful when
arguments might be mistaken for command line options. |
' <schema> ... </schema>
' |
Search CQL only: Single quotation marks ( ' )
surround an entire XML schema declaration. |
@xml_entity='xml_entity_type' |
Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files. |
- permission
-
Type of access a role has on a database resource. Use
ALL PERMISSIONS
or a comma separated list of permissions.Permissions are resource specific as follows:
- Data -
ALL PERMISSIONS
orALTER
,AUTHORIZE [FOR permission_list]
,CREATE
,DESCRIBE
,DROP
,MODIFY
, andSELECT
- Functions (and aggregates) -
ALL PERMISSIONS
orALTER
,AUTHORIZE [FOR permission_list]
,CREATE
, andDROP
- Search indexes -
AUTHORIZE [FOR permission_list]
,SEARCH.ALTER
,SEARCH.COMMIT
,SEARCH.CREATE
,SEARCH.DROP
,SEARCH.REBUILD
, andSEARCH.RELOAD
- Roles -
ALL PERMISSIONS
orALTER
,AUTHORIZE [FOR permission_list]
,CREATE
,DESCRIBE
,DROP
,PROXY.EXECUTE
, andPROXY.LOGIN
- JMX (MBeans) -
ALL PERMISSIONS
orAUTHORIZE [FOR permission_list]
,DESCRIBE
,EXECUTE
,MODIFY
, andSELECT
- Remote procedure calls (RPC) -
ALL PERMISSIONS
orAUTHORIZE [FOR permission_list]
,EXECUTE
,MODIFY
, andSELECT
- Authentication schemes -
ALL PERMISSIONS
orAUTHORIZE [FOR permission_list]
andEXECUTE
- Spark workpools -
ALL PERMISSIONS
orAUTHORIZE [FOR permission_list]
,CREATE
, andDESCRIBE
- Spark submissions -
ALL PERMISSIONS
orAUTHORIZE [FOR permission_list]
,DESCRIBE
, andMODIFY
Note: To manage access control the role must have authorize permission on the resource for the type of permission. When AUTHORIZE is granted without specifyingFOR permission
, the role can manage all permissions on the object. - Data -
- resource_name
-
DataStax Enterprise database objects on which permissions are applied. Database resources have modelled hierarchy, the permission on a top level object gives the role the same permission on the objects ancestors. Identify the resource using the following keywords:
- Data -
ALL KEYSPACES
>KEYSPACE
keyspace_name >TABLE table_name
>'filtering_data' ROWS IN table_name
- Function (including
aggegrates) -
ALL FUNCTIONS
,ALL FUNCTIONS IN KEYSPACE keyspace_name
, andFUNCTION keyspace_name.function_name( argument_types)
- Search indexes -
ALL SEARCH INDICES
> SEARCH KEYSPACE keyspace_name >SEARCH INDICES [keyspace_name.]table_name
- JMX MBeans -
ALL MBEANS > MBEAN mbean_name
andMBEANS pattern
- Remote procedure calls (RPC) -
ALL REMOTE CALLS
>REMOTE METHOD name
|REMOTE OBJECT name
- Roles -
ALL ROLES
>ROLE role_name
- Authentication schemes
-
ALL SCHEMES
>LDAP
|KERBEROS
|INTERNAL
- Analytic applications
- Workpools -
ANY WORKPOOL
>WORKPOOL 'dc_name.*'
>WORKPOOL 'dc_name.workpool_name'
- Submissions -
ANY SUBMISSION
>ANY SUBMISSION IN WORKPOOL 'datacenter_name.*' > 'datacenter_name.workpool_name' > SUBMISSION ID
- Workpools -
- Data -
Examples
In most environments, user authentication is handled by a plug-in that verifies the user credentials against an external directory service such as LDAP. For simplicity, the following examples use internal users.
Manage object permissions
AUTHORIZE
to allow a role to manage access control of specific resources.- Allow role to grant any permission type, including
AUTHORIZE
, on all objects in the cycling keyspace:GRANT AUTHORIZE ON KEYSPACE cycling TO cycling_admin;
Warning: This makes the role a superuser in the cycling keyspace because roles can modify their own permissions as well as roles that they inherit permissions from. - Allow the sam role to assign permission to run queries and
change data in the cycling
keyspace:
GRANT AUTHORIZE FOR SELECT, MODIFY ON KEYSPACE cycling TO sam;
Tip: Thesam
role cannot grant other permissions such asAUTHORIZE
,AUTHORIZE FOR ...
,ALTER
,CREATE
,DESCRIBE
, andDROP
to another role.
Access to data resources
Use the data resource permissions to manage access to keyspaces, tables, rows, and types.
GRANT ALL PERMISSIONS ON KEYSPACE cycling TO cycling_admin;
SELECT
statements and modify data on all tables in the cycling
keyspace:GRANT SELECT, MODIFY ON KEYSPACE cycling TO coach;
ALTER
KEYSPACE
statements on the cycling keyspace, and also ALTER
TABLE
, CREATE INDEX
and DROP INDEX
statements
on all tables in cycling
keyspace:GRANT ALTER ON KEYSPACE cycling TO coach;
SELECT
statements on rows that contain 'Sprint' in cycling.cyclist_category
table:GRANT SELECT ON 'Sprint' ROWS IN cycling.cyclist_category TO martin;
To view permissions see LIST PERMISSIONS.