Authentication scheme resources

When using multiple authentication schemes, there can be overlap between users and groups. For example, an internal login role admin and an LDAP group admin. For each role, you can bind the role to an authentication scheme preventing roles from being assigned to the wrong users.

Restriction: Only applies when scheme permissions are enabled in the authentication configuration.

The location of the cassandra.yaml file depends on the type of installation:

  • Package installations: /etc/hcd/cassandra/cassandra.yaml

  • Tarball installations: <installation_location>/resources/cassandra/conf/cassandra.yaml

Schemes hierarchy:

300

Synopsis

ALL AUTHENTICATION SCHEMES

Allows role to be assigned to users who authenticated against any scheme.

GRANT EXECUTE
ON ALL AUTHENTICATION SCHEMES
TO <role_name>;
LDAP SCHEME | KERBEROS SCHEME | INTERNAL SCHEME

Only assigns role to user if they authenticated against the specified scheme:

GRANT EXECUTE
ON (LDAP SCHEME | KERBEROS SCHEME | INTERNAL SCHEME)
TO <role_name>;

Permission matrix

Permission Resource Description

EXECUTE

ALL AUTHENTICATION SCHEMES

Assign role to user from any scheme.

LDAP SCHEME

Assign role to only LDAP users.

KERBEROS SCHEME

Assign role to only Kerberos principals.

INTERNAL SCHEME

Assign role to only internally authenticated login roles.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com