Adding database users

A user account stored in the DataStax Enterprise database is a role that has a login and password or hashed password.

Enable the internal scheme in the authentication_options section of the dse.yaml configuration file.

Procedure

  1. Create a role with login enabled and an internally stored password:

    CREATE ROLE <role_name>
    WITH LOGIN = true
    AND PASSWORD = '<password_string>';

    where

    • <role_name> - The user name for authentication. Enclose the role names that include uppercase or special characters in double quotes.

    • LOGIN = true - Allows the role to access the database.

    • PASSWORD = '<default_password>' - Stored internally for database managed accounts.

    • (Optional) superuser = true - Gives full access to all database objects to the user. See Adding a superuser login.

    This command can also be modified to use a hashed password:

    CREATE ROLE <role_name>
    WITH LOGIN = true
    AND HASHED PASSWORD = '<hashed_password_string>';

    with the DSE tool hash_password -p <hashed_password_string>.

    DSE uses the bcrypt library, Blowfish, and a log2 factor of 10 to generate a random salt added to the password hash.

  2. To allow the role to be used for authentication when scheme_permissions is true, bind the role to an authentication scheme:

    GRANT EXECUTE
    ON INTERNAL SCHEME
    TO <role_name>;
  3. To allow another role to manage the new role:

    GRANT AUTHORIZE FOR ALTER, DROP
    ON <new_role_name>
    TO <management_role>;

    All superusers have authorize permissions on all roles. And the role that created the role is granted all permissions on the role.

  4. Each user can change their own password with the ALTER ROLE command.

    1. User logs in with their role name:

      cqlsh -u <role_name> -p <default_password>
    2. Changes the password:

      ALTER ROLE <role_name>
      WITH password = '<newpassword>';

      or if using a hashed password:

      ALTER ROLE <role_name>
      WITH HASHED PASSWORD = '<Hashed_newpassword>';

What is Next

Assign permissions to the role, see Assigning permissions.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com