Adding database users

A user account stored in the DataStax Enterprise (DSE) database is a role that has a login and password or hashed password.

Enable the internal scheme in the authentication_options section of the dse.yaml configuration file.

Procedure

Create a role with login enabled and an internally stored password:
```
CREATE ROLE <role_name>
WITH LOGIN = true
AND PASSWORD = '<password_string>';
```
where
- <role_name> - The user name for authentication. Enclose the role names that include uppercase or special characters in double quotes.
- LOGIN = true - Allows the role to access the database.
- PASSWORD = '<default_password>' - Stored internally for database managed accounts.
- (Optional) superuser = true - Gives full access to all database objects to the user. See Adding a superuser login.
This command can also be modified to use a hashed password:
CREATE ROLE <role_name> WITH LOGIN = true AND HASHED PASSWORD = '<hashed_password_string>';
with the DSE tool hash_password -p <hashed_password_string>.
DSE uses the bcrypt library, Blowfish, and a log2 factor of 10 to generate a random salt added to the password hash.
To allow the role to be used for authentication when scheme_permissions is true, bind the role to an authentication scheme:
```
GRANT EXECUTE
ON INTERNAL SCHEME
TO <role_name>;
```
To allow another role to manage the new role:
```
GRANT AUTHORIZE FOR ALTER, DROP
ON <new_role_name>
TO <management_role>;
```
All superusers have authorize permissions on all roles. And the role that created the role is granted all permissions on the role.

Each user can change their own password with the ALTER ROLE command.

User logs in with their role name:

cqlsh -u <role_name> -p <default_password>

Changes the password:

ALTER ROLE <role_name>
WITH password = '<newpassword>';

or if using a hashed password:

ALTER ROLE <role_name>
WITH HASHED PASSWORD = '<Hashed_newpassword>';

What is Next

Assign permissions to the role, see Assigning permissions.

Was this helpful?