Controlling Access to DataStax Graph Keyspaces

Set access privileges to roles for DataStax Graph management.

Permissions and syntax

DataStax Graph authentication and authorization is accomplished with either CQL authorization or DSE Unified Authentication. Set access to graphs using the following syntax:

  • Allow access to a graph or vertex label/edge label:

    GRANT <permission_name>
    ON KEYSPACE <graph_name> | [<graph_name>.]<label_table_name>)
    TO <role_name>;
  • Remove access to a graph:

    REVOKE <permission_name>
    ON KEYSPACE <graph_name> | [<graph_name>.]<Label_table_name>)
    TO <role_name>;

Requirements to GRANT or REVOKE Graph permissions

Roles that manage Graph permissions must have AUTHORIZE on the search index resource:

  • Manage permissions for a graph:

    GRANT AUTHORIZE FOR <permission_name>
    ON KEYSPACE <graph_name>
    TO <role_name>;
  • Limit permissions to manage permissions to individual vertex label/edge label table:

    GRANT AUTHORIZE FOR <permission_name>
    ON SEARCH INDEX [<keyspace_name>.]<table_name>
    TO <role_name>;

Superuser roles have permission to perform any action, including accessing a search indexes resource without any further explicit authorization.

Procedure

  • A Studio user must have the following SELECT permissions:

    GRANT SELECT ON system_auth.roles to <graph_role>;

    This permission allows validation of the CQL role settings for <graph_role>.

  • A Graph user must have the following SELECT permissions, set by default, to access DataStax Graph schema views:

    GRANT SELECT ON system_schema.vertices to <graph_role>;
    GRANT SELECT ON system_schema.edges to <graph_role>;

    These permissions need to be granted only in a non-default cluster where system keyspaces filtering is configured.

  • When DSE Search is used for any data in Studio, the following permission is required to access the search resources and display search indexes:

    GRANT SELECT ON solr_admin.solr_resources to <graph_role>;
  • The following permissions are required when AlwaysOn SparkSQL is used with Graph, to determine AOSS status, to display SparkSQL cached tables in the schema view, to identify the current datacenter for the SparkSQL cached tables, and to identify DataStax Graph and AOSS host servers:

    GRANT SELECT ON dse_analytics.alwayson_sql_info to <graph_role>;
    GRANT SELECT ON dse_analytics.alwayson_cache_table to <graph_role>;

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com