• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Enterprise 6.8 Security Guide

    • About DSE Advanced Security
    • Security FAQs
    • Security checklists
    • Securing the environment
      • Securing ports
      • Securing the TMP directory
    • Authentication and authorization
      • Configuring authentication and authorization
        • About DSE Unified Authentication
          • Steps for new deployment
          • Steps for production environments
        • Configuring security keyspaces
        • Setting up Kerberos
          • Kerberos guidelines
          • Enabling JCE Unlimited
            • Removing AES-256
          • Preparing DSE nodes for Kerberos
            • DNS and NTP
            • krb5.conf
            • Principal
            • Keytab
        • Enabling authentication and authorization
          • Defining a Kerberos scheme
          • Defining an LDAP scheme
        • Configuring JMX authentication
        • Configuring cache settings
        • Securing schema information
      • Managing database access
        • About RBAC
        • Setting up logins and users
          • Adding a superuser login
          • Adding database users
          • LDAP users and groups
            • LDAP logins
            • LDAP groups
          • Kerberos principal logins
          • Setting up roles for applications
          • Binding a role to an authentication scheme
        • Assigning permissions
          • Database object permissions
            • Data resources
            • Functions and aggregate resources
            • Search indexes
            • Roles
            • Proxy login and execute
            • Authentication schemes
            • DSE Utilities (MBeans)
            • Analytic applications
            • Remote procedure calls
          • Separation of duties
          • Keyspaces and tables
          • Row Level Access Control (RLAC)
          • Search index permissions
          • DataStax Graph keyspace
          • Spark application permissions
          • DataStax Studio permissions
          • Remote procedure calls
          • DSE client-tool spark
          • JMX MBean permissions
          • Deny (denylist) db object permission
          • Restricting access to data
      • Providing credentials from DSE tools
        • About clients
        • Internal and LDAP authentication
          • Command line
          • File
          • Environment variables
          • Using CQLSH
        • Kerberos
          • JAAS configuration file location
          • Keytab
          • Ticket Cache
          • Spark jobs
          • SSTableLoader
          • Graph and gremlin-console
          • dsetool
          • CQLSH
        • Nodetool
        • JConsole
    • Auditing database activity
      • Enabling database auditing
      • Capturing DSE Search HTTP requests
      • Log formats
      • View events from DSE audit table
    • Transparent data encryption
      • About Transparent Data Encryption
      • Configuring local encryption
        • Setting up local encryption keys
        • Encrypting configuration file properties
        • Encrypting system resources
        • Encrypting tables
        • Rekeying existing data
        • Using tools with TDE-encrypted SSTables
        • Troubleshooting encryption key errors
      • Configuring KMIP encryption
      • Encrypting Search indexes
        • Encrypting new Search indexes
        • Encrypting existing Search indexes
        • Tuning encrypted Search indexes
      • Migrating encrypted tables from earlier versions
      • Bulk loading data between TDE-enabled clusters
    • Configuring SSL
      • Steps for configuring SSL
      • Creating SSL certificates, keystores, and truststores
        • Remote keystore provider
        • Local keystore files
      • Securing node-to-node connections
      • Securing client-to-node connections
        • Configuring JMX on the server side
        • nodetool, nodesync, dsetool, and Advanced Replication
        • JConsole (JMX)
        • SSTableloader
        • Connecting to SSL-enabled nodes using cqlsh
      • Enabling SSL encryption for DSEFS
      • Reference: SSL instruction variables
    • Securing Spark connections
  • DataStax Enterprise 6.8 Security Guide
  • Authentication and authorization
  • Managing database access
  • Assigning permissions
  • Separation of duties

Implementing Separation of Duties

Use the separation of duties functionality to configure administrator roles for permission management without the ability to execute other CQL commands.

Assigning permission management privileges

In order for administrators and others to use GRANT or REVOKE to permissions on a resource, their role must have one of the following permissions on the object:

  • AUTHORIZE granted is true - Manage any permissions that has been granted on the resource; the role also allows the user to execute the CQL commands that correspond to the permission.

    For example, the admin role that has both authorize and select on the all keyspaces resource.

    GRANT AUTHORIZE, SELECT ON ALL KEYSPACES TO admin;

    Users with the role can GRANT AND REVOKE both the AUTHORIZE and SELECT permissions to any other role, including their own:

    LIST ALL PERMISSIONS OF admin;
    role   | username | resource        | permission | granted | restricted | grantable
    -------+----------+-----------------+------------+---------+------------+-----------
     admin |  dbadmin | <all keyspaces> |     SELECT |    True |      False |     False
     admin |  dbadmin | <all keyspaces> |  AUTHORIZE |    True |      False |     False
  • grantable is true for a permission - Manage only the specified permission for other roles, which are not assigned to them. The related commands are executable if granted is also true.

    For example, to allow the sec_admin to GRANT and REVOKE permissions for other roles but not access the data in all keyspaces:

    GRANT AUTHORIZE FOR CREATE, ALTER, DROP, SELECT, MODIFY, DESCRIBE
    ON ALL KEYSPACES
    TO sec_admin;

    Verify the permissions:

    LIST ALL PERMISSIONS OF sec_admin;

    Granted is false and grantable is true.

     role      | username   | resource        | permission | granted | restricted | grantable
    -----------+------------+-----------------+------------+---------+------------+-----------
     sec_admin |  sec_admin | <all keyspaces> |     CREATE |   False |      False |      True
     sec_admin |  sec_admin | <all keyspaces> |      ALTER |   False |      False |      True
     sec_admin |  sec_admin | <all keyspaces> |       DROP |   False |      False |      True
     sec_admin |  sec_admin | <all keyspaces> |     SELECT |   False |      False |      True
     sec_admin |  sec_admin | <all keyspaces> |     MODIFY |   False |      False |      True
     sec_admin |  sec_admin | <all keyspaces> |   DESCRIBE |   False |      False |      True

Roles that are granted ALL PERMISSIONS can delegate resource permission to all roles. When a user creates an object, they are automatically granted ALL PERMISSIONS.

Restriction: The following rules apply when managing roles and access to database objects:

  • Creating a new role requires CREATE granted on ALL ROLES.

  • GRANT/REVOKE requires the permission to be grantable (AUTHORIZE FOR <permission_name>) on the resource.

  • Users can not modify their own role properties LOGIN and SUPERUSER. Prevents users with ALTER permissions from making their own account a SUPERUSER or creating a role with a higher level of permission.

Authorize syntax

Use the following code to allow the role to GRANT and REVOKE

  • AUTHORIZE and any other permission that has been granted to them on the resource.

    GRANT AUTHORIZE
    ON (ALL KEYSPACES | TABLE <table_name> | '<filter_string>' ROWS IN <table_name>)
    TO <role_name>;
  • Only the listed permissions.

    GRANT AUTHORIZE FOR <permission_list>
    ON <resource_name>
    TO <role_name>;
Type Permissions Resources

Data

ALTER

CREATE

DESCRIBE

DROP

MODIFY

SELECT

ALL KEYSPACES

KEYSPACE <keyspace_name>

TABLE <table_name>

'<filtering_data>' ROWS IN <table_name>

Functions

ALTER

CREATE

DROP

EXECUTE

ALL FUNCTIONS

ALL FUNCTIONS IN KEYSPACE <keyspace_name>

FUNCTION <function_name> ( <argument_types> )

Search indexes

SEARCH.ALTER

SEARCH.COMMIT

SEARCH.CREATE

SEARCH.DROP

SEARCH.REBUILD

SEARCH.RELOAD

ALL SEARCH INDICES

SEARCH INDEX [<keyspace_name>.]<table_name>

Roles

ALTER

CREATE

DESCRIBE

DROP

ALL ROLES

ROLE <role_name>

Proxy role

PROXY.EXECUTE

PROXY.LOGIN

ROLE <role_name>

Authentication Scheme

EXECUTE

ALL AUTHENTICATION SCHEMESLDAP SCHEME

KERBEROS SCHEME

INTERNAL SCHEME

MBeans

DESCRIBE, EXECUTE, MODIFY, and SELECT

ALL MBEANS > MBEANS <pattern> > MBEAN <name>

Spark applications

CREATE

DESCRIBE

ANY WORKPOOL > WORKPOOL <datacenter_name>

MODIFY

DESCRIBE

ANY SUBMISSION

ANY SUBMISSION IN WORKPOOL <datacenter_name>

SUBMISSION id IN WORKPOOL <datacenter_name>

Remote calls

EXECUTE

ALL REMOTE CALLS > REMOTE OBJECT <object_name> > REMOTE METHOD <object_name>.<method_name>

Delegating role management permissions

  • When the AUTHORIZE is granted to a role, the target role can delegate any permission it has on the resource to other roles (including itself).

    GRANT AUTHORIZE ON ALL ROLES
    TO <role_name>;

    The permission shows as granted when the role’s permission are listed.

    When ALL PERMISSIONS is granted, the role has the ability to GRANT and REVOKE all permissions to all roles, including itself.

  • ROLE

    GRANT <permission>[, <permission> ...]
    ON ROLE <role_name>
    TO <role_name>;

    where <permission> values are ALL PERMISSIONS, ALTER, AUTHORIZE, CREATE, DESCRIBE, and DROP

Table 1. Authorization
Permission Resource

AUTHORIZE

ALL ROLES

GRANT and REVOKE the permissions the issuing role has been granted on the role.

AUTHORIZE FOR permission_list

ALL ROLES

GRANT and REVOKE the listed permissions.

AUTHORIZE

ROLE <name>

GRANT and REVOKE the permissions the issuing role has been granted on the role.

AUTHORIZE FOR permission_list

ROLE <name>

GRANT and REVOKE the listed permissions.

Delegating resource management permissions

Authentication schemes
  • Delegate privileges to administrators that manage roles.

    GRANT AUTHORIZE [FOR EXECUTE]
    ON (ALL AUTHENTICATION SCHEMES | LDAP SCHEME | KERBEROS SCHEME | INTERNAL SCHEME)
    TO <role_name>;
    • AUTHORIZE - Allows role to delegate the AUTHORIZE permission and if EXECUTE is also granted, the role can delegate execute permissions.

    • AUTHORIZE FOR EXECUTE - Allows role to delegate which other roles can assign scheme permissions without changing their own login scheme.

Manage access

Set up roles that can manage permissions on objects without access permission.

Procedure

  1. Create a role. For example securty_admin.

    CREATE ROLE security_admin;
  2. Allow the role to manage roles:

    GRANT ALTER, CREATE, DROP, DESCRIBE
    ON ALL ROLES
    TO <security_admin>;
  3. Allow authorization for all permissions with no access privileges.

    • Data resources

      GRANT AUTHORIZE FOR ALL PERMISSIONS
      ON ALL KEYSPACES
      TO <security_admin>;

      which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, SELECT, MODIFY, and DESCRIBE permission to other roles.

    • Functions and aggregate resources

      GRANT AUTHORIZE FOR ALL PERMISSIONS
      ON ALL FUNCTIONS
      TO <security_admin>;

      which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, and EXECUTE permission to other roles.

    • Search indexes

      GRANT AUTHORIZE FOR ALL PERMISSIONS
      ON ALL SEARCH INDICES
      TO <security_admin>;

      which allows the role to grant AUTHORIZE, SEARCH.CREATE, SEARCH.ALTER, SEARCH.DROP, SEARCH.RELOAD, SEARCH.REBUILD, and SEARCH.COMMIT to other roles.

    • Roles

      GRANT AUTHORIZE FOR ALL PERMISSIONS
      ON ALL ROLES
      TO <security_admin>;

      which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, and DESCRIBE permission to other roles.

    • Authentication scheme resources

      GRANT AUTHORIZE FOR ALL PERMISSIONS
      ON ALL AUTHENTICATION SCHEMES
      TO <security_admin>;

      which allows the role to grant AUTHORIZE and EXECUTE permission to other roles.

    • JMX resources (MBeans) for DSE utilities

      GRANT AUTHORIZE FOR ALL PERMISSIONS
      ON ALL MBEANS
      TO <security_admin>;

      which allows the role to grant SELECT, MODIFY, AUTHORIZE, DESCRIBE, and EXECUTE permission to other roles.

    • Analytic applications

      • WORKPOOLS

        GRANT AUTHORIZE FOR ALL PERMISSIONS
        ON ANY WORKPOOL
        TO <security_admin>;

        which allows the role to grant CREATE, DESCRIBE, and AUTHORIZE permission to other roles.

      • SUBMISSIONS

        GRANT AUTHORIZE FOR ALL PERMISSIONS
        ON ANY SUBMISSION
        TO <security_admin>;

        which allows the role to grant MODIFY, DESCRIBE, and AUTHORIZE permission to other roles.

    • Remote procedure calls

      GRANT AUTHORIZE FOR ALL PERMISSIONS
      ON ALL REMOTE CALLS
      TO <security_admin>;
  4. Assign role depending on the Role Management mode:

    • Internal - Use the GRANT command to assign role to a login or another group role.

      GRANT security_admin TO <login_role_name>;
    • LDAP - Create a group object with matching Common Name (CN) (securty_admin) and assign users as members of the group.

Remote procedure calls Keyspaces and tables

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage