Data resources
Syntax for authorizing access to keyspaces, tables, rows, and types.
dse.yaml
The location of the dse.yaml file depends on the type of installation:Package installations | /etc/dse/dse.yaml |
Tarball installations | installation_location/resources/dse/conf/dse.yaml |
Data resources are keyspaces, types, table, and rows. Access is controlled using modelled hierarchy. Granting and revoking a privilege on a top level object automatically allows the same permission on all ancestors.
Data resources have the following hierarchy:
Synopsis
Use the following syntax for data resource access control:
- ALL KEYSPACES
syntax:
GRANT permission[, permission ...] ON ALL KEYSPACES TO role_name;
Where permissions are ALL PERMISSIONS, CREATE, DESCRIBE, DROP, MODIFY, and SELECT. - KEYSPACE
syntax:
GRANT permission[, permission ...] ON KEYSPACE keyspace_name TO role_name;
Where permissions are ALL PERMISSIONS, CREATE, DESCRIBE, DROP, MODIFY, and SELECT.Note: User-defined type access control is the same as the privilege the role has on the keyspace. - TABLE
syntax:
GRANT permission[, permission ...] ON [TABLE] keyspace_name.table_name TO role_name;
Where privileges are ALL PERMISSIONS, DROP, MODIFY, and SELECT. - ROWS
syntax:
GRANT permission[, permission ...] ON 'filter_text' ROWS IN keyspace_name.table_name TO role_name;
Where privileges are ALL PERMISSIONS, MODIFY and SELECT.Note: Row-level access control (RLAC) is disabled by default. To use RLAC, set parameter to true in the dse.yaml.
Permission matrix
The following table describes the CQL statements enabled on the resource when a privilege
is granted to a role :
Privilege type | Resource names | Permissions |
---|---|---|
ALL PERMISSIONS | ALL KEYSPACES | and , as well as all permissions on ancestor objects described in CREATE, ALTER, AUTHORIZE, DESCRIBE, DROP, MODIFY, and SELECT privilege. |
ALL PERMISSIONS | KEYSPACE | ALTER, AUTHORIZE, DESCRIBE, and SELECT privileges on the keyspace and CREATE, ALTER, AUTHORIZE, DESCRIBE, DROP, and SELECT privileges on types, tables, and rows. |
ALL PERMISSIONS | TABLE | MODIFY, SELECT, and AUTHORIZE privileges on the table and all privileges on rows. |
ALL PERMISSIONS | ROWS | MODIFY and SELECT privileges on the rows that match the filtering text. |
ALTER | ALL KEYSPACES | , , , , and . |
ALTER | KEYSPACE | |
ALTER | TABLE | , , and . |
CREATE | ALL KEYSPACES | , and . Note: Creating a resource automatically grants
AUTHORIZE permission to the role that created it. |
CREATE | KEYSPACE | and in specified keyspace. |
CREATE | TABLE | in specified keyspace. |
DESCRIBE | ALL KEYSPACES | , , and in any keyspace |
DESCRIBE | KEYSPACE | , , and , and , and in specified keyspace |
DROP | ALL KEYSPACES | , , and in any keyspace |
DROP | KEYSPACE | , and in specified keyspace |
DROP | TABLE | |
MODIFY | ALL KEYSPACES | , , and on all tables. |
MODIFY | KEYSPACE | , , and on any table in specified keyspace. |
MODIFY | TABLE | , , and on specified table. See note for tables with materialized views (MVs). |
MODIFY | ROWS | , , on the partition that matches the 'filtering_data' for the table. |
SELECT | ALL KEYSPACES | on any table. |
SELECT | KEYSPACE | on any table in specified keyspace. |
SELECT | TABLE | on specified table. |
SELECT | ROWS | on rows that exactly match the 'filtering_data' in specified table. |
Note: To modify a base table that has a materialized view (MV) using an
INSERT
or UPDATE
command if access permissions are enabled, a user must
be granted MODIFY
or ALL PERMISSIONS
on the base
table.