Denying permission
Denies permission on a resource, even if the privilege has been directly granted or inherited.
a privilege on a resource to deny access to user with the role. The user is denied access even if the role is a superuser, privilege has been granted directly to the role or was inherited. Use to remove any restrictions the role has on the database resource.
Tip: An account with the
superuser
role has full read/write
access to the database. If your goal is that certain database administrators should
not be able to see or modify data, do not assign superuser
to those
accounts. Instead, use RESTRICT
to create database administrator accounts
that are able to manage database resources and roles, but are unable to see or modify
data.and only allow access to database resources that are .
Procedure
-
Log in to CQLSH with a
superuser
role.cqlsh -u username
CAUTION: Logging in with the default rolecassandra
may impact performance or fail. All requests including login are executed with consistencyQUORUM
. -
Create an account with login enabled, but as highlighted in the Tip above,
intentionally do not give this
db_admin
account thesuperuser
role.CREATE ROLE IF NOT EXISTS db_admin WITH superuser = false AND login = true AND password = 'anypasswordwilldo';
Note: A password is required for internal accounts but not for LDAP or Kerberos. See .