Adding database users
A user account stored in the DataStax Enterprise database is a role that has a login and password or hashed password.
|
Enable the |
Procedure
-
Create a role with
loginenabled and an internally stored password:CREATE ROLE <role_name> WITH LOGIN = true AND PASSWORD = '<password_string>';where
-
<role_name>- The user name for authentication. Enclose the role names that include uppercase or special characters in double quotes. -
LOGIN = true- Allows the role to access the database. -
PASSWORD = '<default_password>'- Stored internally for database managed accounts. -
(Optional)
superuser = true- Gives full access to all database objects to the user. See Adding a superuser login.
This command can also be modified to use a hashed password:
CREATE ROLE <role_name> WITH LOGIN = true AND HASHED PASSWORD = '<hashed_password_string>';with the DSE tool
hash_password -p <hashed_password_string>.DSE uses the
bcryptlibrary, Blowfish, and a log2 factor of 10 to generate a random salt added to the password hash. -
-
To allow the role to be used for authentication when scheme_permissions is true, bind the role to an authentication scheme:
GRANT EXECUTE ON INTERNAL SCHEME TO <role_name>; -
To allow another role to manage the new role:
GRANT AUTHORIZE FOR ALTER, DROP ON <new_role_name> TO <management_role>;
All superusers have authorize permissions on all roles. And the role that created the role is granted all permissions on the role.
-
Each user can change their own password with the ALTER ROLE command.
-
User logs in with their role name:
cqlsh -u <role_name> -p <default_password> -
Changes the password:
ALTER ROLE <role_name> WITH password = '<newpassword>';or if using a hashed password:
ALTER ROLE <role_name> WITH HASHED PASSWORD = '<Hashed_newpassword>';
-
What is Next
Assign permissions to the role, see Assigning permissions.
