LIST PERMISSIONS

Lists permissions on resources.

List of permissions. Filter list by resource and/or role.
Restriction:
  • Only superusers can list all permissions.
  • Requires DESCRIBE permission on the target resources and roles.

Synopsis

LIST ( ALL PERMISSIONS | permission_list )
  [ ON resource_name ]
  [ OF role_name ] 
  [ NORECURSIVE ] ;
Tip: Omit ON resource_name to display all related resources or omit OF role_name to display all role permissions.
Table 1. Legend
Syntax conventions Description
UPPERCASE Literal keyword.
Lowercase Not literal.
Italics Variable value. Replace with a user-defined value.
[] Optional. Square brackets ( [] ) surround optional command arguments. Do not type the square brackets.
( ) Group. Parentheses ( ( ) ) identify a group to choose from. Do not type the parentheses.
| Or. A vertical bar ( | ) separates alternative elements. Type any one of the elements. Do not type the vertical bar.
... Repeatable. An ellipsis ( ... ) indicates that you can repeat the syntax element as often as required.
'Literal string' Single quotation ( ' ) marks must surround literal strings in CQL statements. Use single quotation marks to preserve upper case.
{ key : value } Map collection. Braces ( { } ) enclose map collections or key value pairs. A colon separates the key and the value.
<datatype1,datatype2> Set, list, map, or tuple. Angle brackets ( < > ) enclose data types in a set, list, map, or tuple. Separate the data types with a comma.
cql_statement; End CQL statement. A semicolon ( ; ) terminates all CQL statements.
[--] Separate the command line options from the command arguments with two hyphens ( -- ). This syntax is useful when arguments might be mistaken for command line options.
' <schema> ... </schema> ' Search CQL only: Single quotation marks ( ' ) surround an entire XML schema declaration.
@xml_entity='xml_entity_type' Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files.

List options

permission

Type of access a role has on a database resource. Use ALL PERMISSIONS or a comma separated list of permissions.

Permissions are resource specific as follows:

  • Data - ALL PERMISSIONS or ALTER, AUTHORIZE [FOR permission_list], CREATE, DESCRIBE, DROP, MODIFY, and SELECT
  • Functions (and aggregates) - ALL PERMISSIONS or ALTER, AUTHORIZE [FOR permission_list], CREATE, and DROP
  • Search indexes - AUTHORIZE [FOR permission_list], SEARCH.ALTER, SEARCH.COMMIT, SEARCH.CREATE, SEARCH.DROP, SEARCH.REBUILD, and SEARCH.RELOAD
  • Roles - ALL PERMISSIONS or ALTER, AUTHORIZE [FOR permission_list], CREATE, DESCRIBE, DROP, PROXY.EXECUTE, and PROXY.LOGIN
  • JMX (MBeans) - ALL PERMISSIONS or AUTHORIZE [FOR permission_list], DESCRIBE, EXECUTE, MODIFY, and SELECT
  • Remote procedure calls (RPC) - ALL PERMISSIONS or AUTHORIZE [FOR permission_list], EXECUTE, MODIFY, and SELECT
  • Authentication schemes - ALL PERMISSIONS or AUTHORIZE [FOR permission_list] and EXECUTE
  • Spark workpools - ALL PERMISSIONS or AUTHORIZE [FOR permission_list], CREATE, and DESCRIBE
  • Spark submissions - ALL PERMISSIONS or AUTHORIZE [FOR permission_list], DESCRIBE, and MODIFY
Note: To manage access control the role must have authorize permission on the resource for the type of permission. When AUTHORIZE is granted without specifying FOR permission, the role can manage all permissions on the object.
resource_name
DataStax Enterprise database objects on which permissions are applied. Database resources have modelled hierarchy, the permission on a top level object gives the role the same permission on the objects ancestors. Identify the resource using the following keywords:
  • Data - ALL KEYSPACES > KEYSPACE keyspace_name > TABLE table_name > 'filtering_data' ROWS IN table_name
  • Function (including aggegrates) - ALL FUNCTIONS, ALL FUNCTIONS IN KEYSPACE keyspace_name, and FUNCTION keyspace_name.function_name( argument_types)
  • Search indexes - ALL SEARCH INDICES > SEARCH KEYSPACE keyspace_name > SEARCH INDICES [keyspace_name.]table_name
  • JMX MBeans - ALL MBEANS > MBEAN mbean_name and MBEANS pattern
  • Remote procedure calls (RPC) - ALL REMOTE CALLS > REMOTE METHOD name | REMOTE OBJECT name
  • Roles - ALL ROLES > ROLE role_name
  • Authentication schemes - ALL SCHEMES > LDAP | KERBEROS | INTERNAL
  • Analytic applications
    • Workpools - ANY WORKPOOL > WORKPOOL 'dc_name.*' > WORKPOOL 'dc_name.workpool_name'
    • Submissions - ANY SUBMISSION > ANY SUBMISSION IN WORKPOOL 'datacenter_name.*' > 'datacenter_name.workpool_name' > SUBMISSION ID
role_name
Selects a role. If the role name has capital letters or special characters enclose it in single quotes.
NORECURSIVE

Only display permissions granted to the role. By default permissions checks are recursive; it shows direct and inherited permissions.

List output

The list command shows the following information:
list all permissions of role1;

 role  | username | resource           | permission | granted | restricted | grantable
-------+----------+--------------------+------------+---------+------------+-----------
 role1 |    role1 | <keyspace cycling> |       DROP |   False |       True |      True
 role1 |    role1 | <keyspace cycling> |  AUTHORIZE |    True |       True |     False
 role2 |    role2 | <keyspace cycling> |     CREATE |    True |      False |     False
 role3 |    role3 | <keyspace cycling> |       DROP |   False |      False |      True
 role3 |    role3 | <keyspace cycling> |     MODIFY |    True |      False |     False

(5 rows)
Output columns
role
The name of the role that the permission was granted or authorized on.
username
If the role is associated with a legacy user account the user name displays, else the role name displays.
resource
The resource name in angle brackets.
permission
The name of the permission.
Tip: When ALL PERMISSIONS is used, each type of permission associated with the resource is granted.
granted
  • True - Execute commands granted by the permission on the resource. When AUTHORIZE is granted equals true, the users with the role can grant other permissions that have granted to them on the resource to other roles.
  • False - Users cannot execute the permission commands.
restricted
  • True - Denies execution of the commands associated with the permission on the resource even if granted is true. If grantable is true, users with the role can still AUTHORIZE roles other than their own.
  • False - Users can execute commands that have granted equal to true.
grantable
  • True - Allows grant or revoke of the permission on the resource to another role, other than any of their own roles.
  • False - AUTHORIZE FOR permission has not been granted.

Example

All permissions for all roles and resources

List permissions given to all the roles on all resources:
LIST ALL PERMISSIONS;
LIST ROLES;

Individual role permissions

List all permissions given to sam:
LIST ALL PERMISSIONS OF sam;
Output is:
 role | username | resource           | permission | granted | restricted | grantable
------+----------+--------------------+------------+---------+------------+-----------
  sam |      sam | <keyspace cycling> |     SELECT |   False |      False |      True
  sam |      sam | <keyspace cycling> |     MODIFY |   False |      False |      True

(2 rows)

All permissions on a resource

List all permissions on the cyclist_name table:
LIST ALL PERMISSIONS ON cycling.cyclist_name;
Output is:
 role            | username        | resource           | permission | granted | restricted | grantable
-----------------+-----------------+--------------------+------------+---------+------------+-----------
           coach |           coach | <keyspace cycling> |      ALTER |    True |      False |     False
           coach |           coach | <keyspace cycling> |     SELECT |    True |      False |     False
           coach |           coach | <keyspace cycling> |     MODIFY |    True |      False |     False
   cycling_admin |   cycling_admin | <keyspace cycling> |     CREATE |    True |      False |     False
   cycling_admin |   cycling_admin | <keyspace cycling> |      ALTER |    True |      False |     False
   cycling_admin |   cycling_admin | <keyspace cycling> |       DROP |    True |      False |     False
   cycling_admin |   cycling_admin | <keyspace cycling> |     SELECT |    True |      False |     False
   cycling_admin |   cycling_admin | <keyspace cycling> |     MODIFY |    True |      False |     False
   cycling_admin |   cycling_admin | <keyspace cycling> |  AUTHORIZE |    True |      False |     False
   cycling_admin |   cycling_admin | <keyspace cycling> |   DESCRIBE |    True |      False |     False
 cycling_analyst | cycling_analyst | <keyspace cycling> |     SELECT |    True |      False |     False
        dantest1 |        dantest1 | <keyspace cycling> |  AUTHORIZE |    True |      False |     False
        db_admin |        db_admin | <keyspace cycling> |     SELECT |   False |       True |     False
        db_admin |        db_admin | <keyspace cycling> |     MODIFY |   False |       True |     False
          martin |          martin |    <all keyspaces> |     CREATE |   False |       True |     False
          martin |          martin | <keyspace cycling> |     CREATE |    True |      False |     False
      role_admin |      role_admin | <keyspace cycling> |     SELECT |   False |       True |     False
      role_admin |      role_admin | <keyspace cycling> |     MODIFY |   False |       True |     False
             sam |             sam | <keyspace cycling> |     SELECT |   False |      False |      True
             sam |             sam | <keyspace cycling> |     MODIFY |   False |      False |      True
    team_manager |    team_manager | <keyspace cycling> |     MODIFY |    True |      False |     False

(21 rows)