Adding database users

Set up the primary login roles for users that are authenticated against the DSE database.

A user account stored in the DataStax Enterprise database is a role that has a login and password.
Note: To set up the DSE database user directory feature, set a scheme in the Authentication options to internal.

Procedure

  1. Create a role with login enabled and an internally stored password:
    CREATE ROLE role_name 
    WITH LOGIN = true 
    AND PASSWORD = 'password_string';
    where
    • role_name - The user name for authentication. Enclose the role names that include uppercase or special characters in double quotes.
    • LOGIN = true - Allows the role to access the database.
    • PASSWORD = 'default_password' - Stored internally for database managed accounts.
    • (Optional) superuser = true - Gives full access to all database objects to the user. See Adding a superuser login.
  2. To allow the role to be used for authentication when scheme_permissions is true, bind the role to an authentication scheme:
    GRANT EXECUTE 
    ON INTERNAL SCHEME 
    TO role_name;
  3. To allow another role to manage the new role:
    GRANT AUTHORIZE FOR ALTER, DROP
    ON new_role_name 
    TO management_role;
    Tip: All superusers have authorize permissions on all roles. And the role that created the role is granted all permissions on the role.
  4. Each user can change their own password with the ALTER ROLE command.
    1. User logs in with their role name:
      cqlsh -u role_name -p default_password
    2. Changes the password:
      ALTER ROLE role_name 
      WITH password = 'newpassword';

What's next

Assign permissions to the role, see Assigning permissions.