Authentication scheme resources
When using multiple authentication schemes, there can be overlap between users and groups. For example, an internal login role admin and an LDAP group admin. For each role, you can bind the role to an authentication scheme preventing roles from being assigned to the wrong users.
Restriction: Only applies when scheme permissions are enabled in the authentication configuration.
The location of the cassandra.yaml file depends on your installation type.
-
Package installations
-
Tarball installations
/etc/hcd/cassandra/cassandra.yamlINSTALLATION_LOCATION/resources/cassandra/conf/cassandra.yamlReplace INSTALLATION_LOCATION with the path where you extracted the HCD tarball.
Schemes hierarchy:
Synopsis
- ALL AUTHENTICATION SCHEMES
-
Allows role to be assigned to users who authenticated against any scheme.
GRANT EXECUTE ON ALL AUTHENTICATION SCHEMES TO <role_name>; - LDAP SCHEME | KERBEROS SCHEME | INTERNAL SCHEME
-
Only assigns role to user if they authenticated against the specified scheme:
GRANT EXECUTE ON (LDAP SCHEME | KERBEROS SCHEME | INTERNAL SCHEME) TO <role_name>;
Permission matrix
| Permission | Resource | Description |
|---|---|---|
EXECUTE |
ALL AUTHENTICATION SCHEMES |
Assign role to user from any scheme. |
LDAP SCHEME |
Assign role to only LDAP users. |
|
KERBEROS SCHEME |
Assign role to only Kerberos principals. |
|
INTERNAL SCHEME |
Assign role to only internally authenticated login roles. |
