GRANT
Assigns privileges to roles on database resources, such as keyspaces, tables, and functions.
Permissions apply immediately, even to active client sessions. |
Restriction: Enable authentication and authorization to control access to database resources. See Enabling DSE Unified Authentication.
Synopsis
GRANT <permission> ON <object> TO <role_name> ;
Syntax legend
Syntax conventions | Description |
---|---|
UPPERCASE |
Literal keyword. |
Lowercase |
Not literal. |
|
Variable value. Replace with a user-defined value. |
|
Optional.
Square brackets ( |
|
Group.
Parentheses ( |
|
Or.
A vertical bar ( |
|
Repeatable.
An ellipsis ( |
|
Single quotation ( |
|
Map collection.
Braces ( |
Set, list, map, or tuple.
Angle brackets ( |
|
|
End CQL statement.
A semicolon ( |
|
Separate the command line options from the command arguments with two hyphens ( |
|
Search CQL only: Single quotation marks ( |
|
Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files. |
- privilege
-
For DSE 5.1 only. Permissions granted on a resource to a role; grant a privilege at any level of the resource hierarchy. The full set of available privileges is:
-
ALL PERMISSIONS
-
ALTER
-
AUTHORIZE
-
CREATE
-
DESCRIBE
-
DROP
-
EXECUTE
-
MODIFY
-
PROXY.EXECUTE
-
PROXY.LOGIN
-
SEARCH.ALTER
-
SEARCH.COMMIT
-
SEARCH.CREATE
-
SEARCH.DROP
-
SEARCH.REBUILD
-
SEARCH.RELOAD
-
SELECT
-
- <permission>
-
Type of access a role has on a database resource. Use
ALL PERMISSIONS
or a comma separated list of permissions.Permissions are resource-specific as follows:
-
Data -
ALL PERMISSIONS
orALTER
,AUTHORIZE [FOR <permission_list>]
,CREATE
,DESCRIBE
,DROP
,MODIFY
(deprecated),SELECT
,TRUNCATE
, orUPDATE
(allowsINSERT
,UPDATE
, orDELETE
) -
Functions (and aggregates) -
ALL PERMISSIONS
orALTER
,AUTHORIZE [FOR <permission_list>]
,CREATE
, andDROP
-
Search indexes -
AUTHORIZE [FOR <permission_list>]
,SEARCH.ALTER
,SEARCH.COMMIT
,SEARCH.CREATE
,SEARCH.DROP
,SEARCH.REBUILD
, andSEARCH.RELOAD
-
Roles -
ALL PERMISSIONS
orALTER
,AUTHORIZE [FOR <permission_list>]
,CREATE
,DESCRIBE
,DROP
,PROXY.EXECUTE
, andPROXY.LOGIN
-
JMX (MBeans) -
ALL PERMISSIONS
orAUTHORIZE [FOR <permission_list>]
,DESCRIBE
,EXECUTE
,MODIFY
, andSELECT
-
Remote procedure calls (RPC) -
ALL PERMISSIONS
orAUTHORIZE [FOR <permission_list>]
,EXECUTE
,MODIFY
, andSELECT
-
Authentication schemes -
ALL PERMISSIONS
orAUTHORIZE [FOR <permission_list>]
andEXECUTE
-
Spark workpools -
ALL PERMISSIONS
orAUTHORIZE [FOR <permission_list>]
,CREATE
, andDESCRIBE
-
Spark submissions -
ALL PERMISSIONS
orAUTHORIZE [FOR <permission_list>]
,DESCRIBE
, andMODIFY
-
To manage access control the role must have authorize permission on the resource for the type of permission.
When |
|
- <resource_name>
-
Apache Cassandra® database objects on which permissions are applied. Database resources have modelled hierarchy, the permission on a top level object gives the role the same permission on the objects ancestors. Identify the resource using the following keywords:
-
Data -
ALL KEYSPACES
>KEYSPACE
<keyspace_name> >ALL TABLES IN KEYSPACE
<keyspace_name> >TABLE <table_name>
>'<filtering_data>' ROWS IN <table_name>
-
Function (including aggegrates) -
ALL FUNCTIONS
,ALL FUNCTIONS IN KEYSPACE <keyspace_name>
, andFUNCTION <keyspace_name.function_name>(<argument_types>)
-
Search indexes -
ALL SEARCH INDICES
> SEARCH KEYSPACE <keyspace_name> >SEARCH INDICES [<keyspace_name>.]<table_name>
-
JMX MBeans -
ALL MBEANS > MBEAN <mbean_name>
andMBEANS <pattern>
-
Remote procedure calls (RPC) -
ALL REMOTE CALLS
>REMOTE METHOD <name>
|REMOTE OBJECT <name>
-
Roles -
ALL ROLES
>ROLE <role_name>
-
Authentication schemes -
ALL SCHEMES
>LDAP
|KERBEROS
|INTERNAL
-
Analytic applications
-
Workpools -
ANY WORKPOOL
>WORKPOOL '<dc_name>.*'
>WORKPOOL '<dc_name>.<workpool_name>'
-
Submissions -
ANY SUBMISSION
>ANY SUBMISSION IN WORKPOOL '<datacenter_name>.*' > '<datacenter_name>.<workpool_name>' > SUBMISSION <ID>
endif::[]
-
-
Access control matrix tables
Resource type: Data
Privilege | Resource | Permissions |
---|---|---|
ALL PERMISSIONS |
|
All operations that are applicable to the resource and its ancestors, where resource name is listed below. |
ALTER |
ALL KEYSPACES |
ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, RESTRICT ROW in any keyspace. |
ALTER |
KEYSPACE |
ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, and RESTRICT ROW in specified keyspace. |
ALTER |
TABLE |
ALTER TABLE and RESTRICT ROW of specified table. |
CREATE |
ALL KEYSPACES |
CREATE KEYSPACE, CREATE TABLE, CREATE FUNCTIONS, and CREATE TYPE in any keyspace. |
CREATE |
KEYSPACE |
CREATE TABLE and CREATE TYPE in specified keyspace. |
DROP |
ALL KEYSPACES |
DROP KEYSPACE, DROP TABLE, and DROP TYPE in any keyspace |
DROP |
KEYSPACE |
DROP TABLE and DROP TYPE in specified keyspace |
DROP |
TABLE |
DROP TABLE specified. |
MODIFY |
|
MODIFY on rows that exactly match the |
MODIFY |
ALL KEYSPACES |
INSERT, UPDATE, DELETE, and TRUNCATE on any table. |
MODIFY |
KEYSPACE |
INSERT, UPDATE, DELETE, and TRUNCATE on any table in specified keyspace. |
MODIFY |
TABLE |
INSERT, UPDATE, DELETE, and TRUNCATE on specified table. |
SELECT |
|
SELECT on rows that exactly match the |
SELECT |
ALL KEYSPACES |
SELECT on any table. |
SELECT |
KEYSPACE |
SELECT on any table in specified keyspace. |
SELECT |
TABLE |
SELECT on specified table. |
Resource type: Functions
Privilege | Resource | Permissions |
---|---|---|
ALTER |
ALL FUNCTIONS |
CREATE FUNCTION and CREATE AGGREGATE, also replace existing. |
ALTER |
ALL FUNCTIONS IN KEYSPACE |
CREATE FUNCTION and CREATE AGGREGATE, also replace existing in specified keyspace |
ALTER |
FUNCTION |
CREATE FUNCTION and CREATE AGGREGATE, also replace existing. |
CREATE |
ALL FUNCTIONS |
CREATE FUNCTION in any keyspace and CREATE AGGREGATE in any keyspace. |
CREATE |
ALL FUNCTIONS IN KEYSPACE |
CREATE FUNCTION and CREATE AGGREGATE in specified keyspace. |
DROP |
ALL FUNCTIONS |
DROP FUNCTION and DROP AGGREGATE in any keyspace. |
DROP |
ALL FUNCTIONS IN KEYSPACE |
DROP FUNCTION and DROP AGGREGATE in specified keyspace. |
DROP |
FUNCTION |
DROP FUNCTION specified function. |
EXECUTE |
ALL FUNCTIONS |
SELECT, INSERT, and UPDATE using any function, and use of any function in CREATE AGGREGATE. |
EXECUTE |
ALL FUNCTIONS IN KEYSPACE |
SELECT, INSERT, and UPDATE using any function in specified keyspace and use of any function in a keyspace in CREATE AGGREGATE. |
EXECUTE |
FUNCTION |
SELECT, INSERT, and UPDATE using specified function, and use of the function in CREATE AGGREGATE. |
Resource type: JMX
Privilege | Resource | Permissions |
---|---|---|
DESCRIBE |
ALL MBEANS |
Retrieve metadata about any mbean from the platform’s MBeanServer. |
DESCRIBE |
MBEAN |
Retrieve metadata about a named mbean from the platform’s MBeanServer. |
DESCRIBE |
MBEANS pattern |
Retrieve metadata about any mbean matching a wildcard pattern from the platform’s MBeanServer. |
EXECUTE |
ALL MBEANS |
Execute operations on any mbean. |
EXECUTE |
MBEAN |
Execute operations on named mbean. |
EXECUTE |
MBEANS pattern |
Execute operations on any mbean matching a wildcard pattern. |
MODIFY |
ALL MBEANS |
Call setter methods on any mbean. |
MODIFY |
MBEAN |
Call setter methods on named mbean. |
MODIFY |
MBEANS pattern |
Call setter methods on any mbean matching a wildcard pattern. |
SELECT |
ALL MBEANS |
Call getter methods on any mbean. |
SELECT |
MBEAN |
Call getter methods on named mbean. |
SELECT |
MBEANS pattern |
Call getter methods on any mbean matching a wildcard pattern. |
Resource type: Role management
Privilege | Resource | Permissions |
---|---|---|
ALTER |
ALL ROLES |
ALTER ROLE on any role. |
ALTER |
ROLE |
ALTER ROLE for specified role. |
AUTHORIZE |
|
GRANT privilege and REVOKE privilege on the resource. Note: Roles are resources. Requires that user has AUTHORIZE on the resource. |
CREATE |
ALL ROLES |
CREATE ROLE. |
DESCRIBE |
ALL ROLES |
LIST privilege on all roles or only roles granted to another specified role. |
DROP |
ALL ROLES |
Drop all roles. |
DROP |
ROLE |
Drop the specified role. |
PROXY.EXECUTE |
ROLE |
After authenticating issue individual requests as a different user. |
PROXY.LOGIN |
ROLE |
After authenticating issue all requests as a different user. |
|
|
Grant role (as a set of permissions) to another role. Requires AUTHORIZE permission on the permission role and target role. |
Resource type: Search index
Privilege | Resource | Permissions |
---|---|---|
ALL PERMISSIONS |
ALL SEARCH INDICES |
All search index privileges for all search indexes in the system. |
ALL PERMISSIONS |
SEARCH KEYSPACE |
All search index privileges for all tables in specified keyspace. |
ALL PERMISSIONS |
SEARCH INDEX |
All search index privileges for specified table. |
SEARCH.ALTER |
ALL SEARCH INDICES |
ALTER SEARCH INDEX on all tables in all keyspaces. |
SEARCH.ALTER |
SEARCH KEYSPACE |
ALTER SEARCH INDEX on all tables in specified keyspace. |
SEARCH.ALTER |
SEARCH INDEX |
ALTER SEARCH INDEX on specified table. |
SEARCH.COMMIT |
ALL SEARCH INDICES |
COMMIT SEARCH INDEX on all tables in all keyspaces. |
SEARCH.COMMIT |
SEARCH KEYSPACE |
COMMIT SEARCH INDEX on all tables in specified keyspace. |
SEARCH.COMMIT |
SEARCH INDEX |
COMMIT SEARCH INDEX on specified table. |
SEARCH.CREATE |
ALL SEARCH INDICES |
CREATE SEARCH INDEX on all tables in all keyspaces. |
SEARCH.CREATE |
SEARCH KEYSPACE |
CREATE SEARCH INDEX on all tables in specified keyspace. |
SEARCH.CREATE |
SEARCH INDEX |
CREATE SEARCH INDEX on specified table. |
SEARCH.DROP |
ALL SEARCH INDICES |
DROP SEARCH INDEX on all tables in all keyspaces. |
SEARCH.DROP |
SEARCH KEYSPACE |
DROP SEARCH INDEX on all tables in specified keyspace. |
SEARCH.DROP |
SEARCH INDEX |
DROP SEARCH INDEX on specified table. |
SEARCH.REBUILD |
ALL SEARCH INDICES |
REBUILD SEARCH INDEX on any table in all keyspaces. |
SEARCH.REBUILD |
SEARCH KEYSPACE |
REBUILD SEARCH INDEX on all tables in specified keyspace. |
SEARCH.REBUILD |
SEARCH INDEX |
REBUILD SEARCH INDEX on specified table. |
SEARCH.RELOAD |
ALL SEARCH INDICES |
RELOAD SEARCH INDEX on all tables in all keyspaces. |
SEARCH.RELOAD |
SEARCH KEYSPACE |
RELOAD SEARCH INDEX on all tables in specified keyspace. |
SEARCH.RELOAD |
SEARCH INDEX |
RELOAD SEARCH INDEX on specified table. |
Resource type: Spark applications
Privilege | Resource | Permissions |
---|---|---|
CREATE |
ANY WORKPOOL |
Submit an application to the work pool in any datacenter. |
CREATE |
WORKPOOL |
Submit an application to the work pool in a specific datacenter. |
MODIFY |
ANY SUBMISSION |
Manage any applications across all datacenters. |
MODIFY |
ANY SUBMISSION IN WORKPOOL |
Manage applications in a specified datacenter. |
MODIFY |
SUBMISSION application_ID IN WORKPOOL |
Manage a single application in a specified datacenter. |
Examples
In most environments, user authentication is handled by a plug-in that verifies users credentials against an external directory servicesuch as LDAP. For simplicity, the following examples use internal users.
Manage object permissions
Use AUTHORIZE
to allow a role to manage access control of specific resources.
-
Allow role to grant any permission type, including
AUTHORIZE
, on all objects in the cycling keyspace:GRANT AUTHORIZE ON KEYSPACE cycling TO cycling_admin;
This makes the role a superuser in the cycling keyspace because roles can modify their own permissions as well as roles that they inherit permissions from.
-
Allow the
sam
role to assign permission to run queries and change data in the cycling keyspace:GRANT AUTHORIZE FOR SELECT, TRUNCATE, UPDATE ON KEYSPACE cycling TO sam;
The
sam
role cannot grant other permissions such asAUTHORIZE
,AUTHORIZE FOR ...
,ALTER
,CREATE
,DESCRIBE
, andDROP
to another role.
Access to data resources
Use the data resource permissions to manage access to keyspaces, tables, rows, and types.
Give the role cycling_admin all permissions to the cycling keyspace:
GRANT ALL PERMISSIONS
ON KEYSPACE cycling
TO cycling_admin;
Give the role coach permission to perform SELECT
statements and modify data on all tables in the cycling keyspace:
GRANT SELECT, TRUNCATE, UPDATE
ON KEYSPACE cycling
TO coach;
Give the role coach permission to perform ALTER KEYSPACE
statements on the cycling keyspace, and also ALTER TABLE
, CREATE INDEX
, and DROP INDEX
statements on all tables in the cycling keyspace:
GRANT ALTER
ON KEYSPACE cycling
TO coach;
Give the role martin permission to perform SELECT
statements on rows that contain 'Sprint' in the cycling.cyclist_category
table:
GRANT SELECT
ON 'Sprint' ROWS IN cycling.cyclist_category
TO martin;
The filtering_data string is case-sensitive. |
To view permissions see LIST PERMISSIONS.