Controlling access to keyspaces and tables

Provides examples on how to manage access to keyspaces and tables.

Authorize roles to access keyspace and tables using CQL GRANT and REVOKE commands. Keyspace, table, and rows are hierarchical. Roles that have a privilege to access a top level object, such as a keyspace automatically have the permission on the child objects (table and rows).

DataStax Enterprise supports this CQL syntax in cqlsh to revoke permissions:
REVOKE permission_name ON resource_name FROM role_name; 

Procedure

  • Create a role that has all permissions in all keyspaces:
    CREATE ROLE keyspace_admin;
    GRANT ALL PERMISSIONS ON ALL KEYSPACES TO keyspace_admin;
  • Create an administrator role for a single keyspace:
    CREATE ROLE cycling_admin;
    GRANT ALL PERMISSIONS IN KEYSPACE cycling to cycling_admin;
  • Create a role that can only make data changes, INSERT, UPDATE, DELETE, and TRUNCATE for any table in the keyspace cycling:
    GRANT MODIFY ON KEYSPACE cycling TO team_manager;
  • Create a role that can only select data and use functions in the cycling keyspace:
    CREATE ROLE cyclist_analyst;
    GRANT SELECT ON KEYSPACE cycling TO cyclist_analist;
    GRANT EXECUTE ON ALL FUNCTIONS IN KEYSPACE cycling to cyclist_analist;