Data resources

Syntax for authorizing access to keyspaces, tables, rows, and types.

dse.yaml

The location of the dse.yaml file depends on the type of installation:
Package installations /etc/dse/dse.yaml
Tarball installations installation_location/resources/dse/conf/dse.yaml

Data resources are keyspaces, types, table, and rows. Access is controlled using modelled hierarchy. Granting and revoking a privilege on a top level object automatically allows the same permission on all ancestors.

Data resources have the following hierarchy:

Synopsis

Use the following syntax for data resource access control:
  • ALL KEYSPACES syntax:
    GRANT permission[, permission ...]  
    ON ALL KEYSPACES 
    TO role_name;
    Where permissions are ALL PERMISSIONS, CREATE, DESCRIBE, DROP, MODIFY, and SELECT.
  • KEYSPACE syntax:
    GRANT permission[, permission ...]  
    ON KEYSPACE keyspace_name 
    TO role_name;
    Where permissions are ALL PERMISSIONS, CREATE, DESCRIBE, DROP, MODIFY, and SELECT.
    Note: User-defined type access control is the same as the privilege the role has on the keyspace.
  • TABLE syntax:
    GRANT permission[, permission ...]  
    ON [TABLE] keyspace_name.table_name 
    TO role_name;
    Where privileges are ALL PERMISSIONS, DROP, MODIFY, and SELECT.
  • ROWS syntax:
    GRANT permission[, permission ...]  
    ON 'filter_text' ROWS IN keyspace_name.table_name 
    TO role_name;
    Where privileges are ALL PERMISSIONS, MODIFY and SELECT.
    Note: Row-level access control (RLAC) is disabled by default. To use RLAC, set allow_row_level_security parameter to true in the dse.yaml.

Permission matrix

The following table describes the CQL statements enabled on the resource when a privilege is granted to a role :
Privilege type Resource names Permissions
ALL PERMISSIONS ALL KEYSPACES CREATE KEYSPACE and DROP KEYSPACE, as well as all permissions on ancestor objects described in CREATE, ALTER, AUTHORIZE, DESCRIBE, DROP, MODIFY, and SELECT privilege.
ALL PERMISSIONS KEYSPACE ALTER, AUTHORIZE, DESCRIBE, and SELECT privileges on the keyspace and CREATE, ALTER, AUTHORIZE, DESCRIBE, DROP, and SELECT privileges on types, tables, and rows.
ALL PERMISSIONS TABLE MODIFY, SELECT, and AUTHORIZE privileges on the table and all privileges on rows.
ALL PERMISSIONS ROWS MODIFY and SELECT privileges on the rows that match the filtering text.
ALTER ALL KEYSPACES ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, RESTRICT ROWS, and UNRESTRICT ROWS.
ALTER KEYSPACE
ALTER TABLE ALTER TABLE, RESTRICT ROWS, and UNRESTRICT ROWS.
CREATE ALL KEYSPACES CREATE KEYSPACE, CREATE TABLE and CREATE TYPE.
Note: Creating a resource automatically grants AUTHORIZE permission to the role that created it.
CREATE KEYSPACE CREATE TABLE and CREATE TYPE in specified keyspace.
CREATE TABLE CREATE TABLE in specified keyspace.
DESCRIBE ALL KEYSPACES DESCRIBE KEYSPACE, DESCRIBE TABLE, and DESCRIBE TYPE in any keyspace
DESCRIBE KEYSPACE DESCRIBE KEYSPACE, DESCRIBE TABLE, and DESCRIBE TYPE, and DESCRIBE FUNCTION, and DESCRIBE AGGREGATE in specified keyspace
DROP ALL KEYSPACES DROP KEYSPACE, DROP TABLE, and DROP TYPE in any keyspace
DROP KEYSPACE DROP TABLE, and DROP TYPE in specified keyspace
DROP TABLE DROP TABLE
MODIFY ALL KEYSPACES INSERT, UPDATE, DELETE and TRUNCATE on all tables.
MODIFY KEYSPACE INSERT, UPDATE, DELETE and TRUNCATE on any table in specified keyspace.
MODIFY TABLE INSERT, UPDATE, DELETE and TRUNCATE on specified table. See note for tables with materialized views (MVs).
MODIFY ROWS INSERT, UPDATE, DELETE on the partition that matches the 'filtering_data' for the table.
SELECT ALL KEYSPACES SELECT on any table.
SELECT KEYSPACE SELECT on any table in specified keyspace.
SELECT TABLE SELECT on specified table.
SELECT ROWS SELECT on rows that exactly match the 'filtering_data' in specified table.
Note: To modify a base table that has a materialized view (MV) using an INSERT or UPDATE command if access permissions are enabled, a user must be granted MODIFY or ALL PERMISSIONS on the base table.