GRANT

Allow access to database resources.

Assigns privileges to roles on database resources, such as keyspaces, tables, functions.

Important: Permissions apply immediately, even to active client sessions.
Restriction: Enable authentication and authorization to control access to database resources. See Enabling DSE Unified Authentication.

Synopsis

GRANT permission
ON object
TO role_name;
Table 1. Legend
Syntax conventions Description
UPPERCASE Literal keyword.
Lowercase Not literal.
Italics Variable value. Replace with a user-defined value.
[] Optional. Square brackets ( [] ) surround optional command arguments. Do not type the square brackets.
( ) Group. Parentheses ( ( ) ) identify a group to choose from. Do not type the parentheses.
| Or. A vertical bar ( | ) separates alternative elements. Type any one of the elements. Do not type the vertical bar.
... Repeatable. An ellipsis ( ... ) indicates that you can repeat the syntax element as often as required.
'Literal string' Single quotation ( ' ) marks must surround literal strings in CQL statements. Use single quotation marks to preserve upper case.
{ key : value } Map collection. Braces ( { } ) enclose map collections or key value pairs. A colon separates the key and the value.
<datatype1,datatype2> Set, list, map, or tuple. Angle brackets ( < > ) enclose data types in a set, list, map, or tuple. Separate the data types with a comma.
cql_statement; End CQL statement. A semicolon ( ; ) terminates all CQL statements.
[--] Separate the command line options from the command arguments with two hyphens ( -- ). This syntax is useful when arguments might be mistaken for command line options.
' <schema> ... </schema> ' Search CQL only: Single quotation marks ( ' ) surround an entire XML schema declaration.
@xml_entity='xml_entity_type' Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files.
permission

Type of access a role has on a database resource. Use ALL PERMISSIONS or a comma separated list of permissions.

Permissions are resource specific as follows:

  • Data - ALL PERMISSIONS or ALTER, AUTHORIZE [FOR permission_list], CREATE, DESCRIBE, DROP, MODIFY, and SELECT
  • Functions (and aggregates) - ALL PERMISSIONS or ALTER, AUTHORIZE [FOR permission_list], CREATE, and DROP
  • Search indexes - AUTHORIZE [FOR permission_list], SEARCH.ALTER, SEARCH.COMMIT, SEARCH.CREATE, SEARCH.DROP, SEARCH.REBUILD, and SEARCH.RELOAD
  • Roles - ALL PERMISSIONS or ALTER, AUTHORIZE [FOR permission_list], CREATE, DESCRIBE, DROP, PROXY.EXECUTE, and PROXY.LOGIN
  • JMX (MBeans) - ALL PERMISSIONS or AUTHORIZE [FOR permission_list], DESCRIBE, EXECUTE, MODIFY, and SELECT
  • Remote procedure calls (RPC) - ALL PERMISSIONS or AUTHORIZE [FOR permission_list], EXECUTE, MODIFY, and SELECT
  • Authentication schemes - ALL PERMISSIONS or AUTHORIZE [FOR permission_list] and EXECUTE
  • Spark workpools - ALL PERMISSIONS or AUTHORIZE [FOR permission_list], CREATE, and DESCRIBE
  • Spark submissions - ALL PERMISSIONS or AUTHORIZE [FOR permission_list], DESCRIBE, and MODIFY
Note: To manage access control the role must have authorize permission on the resource for the type of permission. When AUTHORIZE is granted without specifying FOR permission, the role can manage all permissions on the object.
resource_name
DataStax Enterprise database objects on which permissions are applied. Database resources have modelled hierarchy, the permission on a top level object gives the role the same permission on the objects ancestors. Identify the resource using the following keywords:
  • Data - ALL KEYSPACES > KEYSPACE keyspace_name > TABLE table_name > 'filtering_data' ROWS IN table_name
  • Function (including aggegrates) - ALL FUNCTIONS, ALL FUNCTIONS IN KEYSPACE keyspace_name, and FUNCTION keyspace_name.function_name( argument_types)
  • Search indexes - ALL SEARCH INDICES > SEARCH KEYSPACE keyspace_name > SEARCH INDICES [keyspace_name.]table_name
  • JMX MBeans - ALL MBEANS > MBEAN mbean_name and MBEANS pattern
  • Remote procedure calls (RPC) - ALL REMOTE CALLS > REMOTE METHOD name | REMOTE OBJECT name
  • Roles - ALL ROLES > ROLE role_name
  • Authentication schemes - ALL SCHEMES > LDAP | KERBEROS | INTERNAL
  • Analytic applications
    • Workpools - ANY WORKPOOL > WORKPOOL name
    • Submissions - ANY SUBMISSION > ANY SUBMISSION IN WORKPOOL datacenter_name > SUBMISSION ID

Examples

In most environments, user authentication is handled by a plug-in that verifies users credentials against an external directory service such as LDAP. For simplicity, these examples use internal users.

Manage object permissions

Use AUTHORIZE to allow a role to manage access control of specific resources.
  • Allow role to grant any permission type, including AUTHORIZE, on all objects in the cycling keyspace:
    GRANT AUTHORIZE ON KEYSPACE cycling TO cycling_admin;
    Warning: This makes the role a superuser in the cycling keyspace because roles can modify their own permissions as well as roles that they inherit permissions from.
  • Allow the sam role to assign permission to run queries and change data on the cyclist_stats table:
    GRANT AUTHORIZE FOR SELECT, MODIFY ON KEYSPACE cycling TO sam;
    Tip: The sam role cannot grant other permissions such as AUTHORIZE/AUTHORIZE FOR ..., ALTER, CREATE, DESCRIBE, and DROP to another role.

Access to data resources

Use the data resource permissions to manage access to keyspaces, tables and rows, and types.

Give the cycling_admin role all permissions to the cycling keyspace:
GRANT ALL PERMISSIONS ON KEYSPACE cycling TO cycling_admin;
Give the role coach permission to perform SELECT queries and modify data on all tables in the cycling keyspace:
GRANT SELECT, MODIFY ON KEYSPACE cycling TO coach;
Give the role coach permission to perform ALTER KEYSPACE queries on the cycling keyspace, and also ALTER TABLE, CREATE INDEX and DROP INDEX queries on all tables in cycling keyspace:
GRANT ALTER ON KEYSPACE cycling TO coach;
Give the role martin permission to perform SELECT on rows that contain 'Sprint' in cycling.cyclist_category table:
GRANT SELECT ON 'Sprint' ROWS IN cycling.cyclist_category TO martin;
Note: The filtering_data is case-sensitive.

To view permissions see LIST PERMISSIONS.