Bind a role to an authentication scheme
Prevent unintentional role assignment when a group name or user name is found in multiple schemes.
When a role has execute permission on a scheme, the role can only be applied to users who authenticated against that scheme.
include::ROOT:partial$grant-role.adoc[GRANT] and REVOKE commands:
-
To associate role with a scheme:
GRANT EXECUTE ON [ALL AUTHENTICATION SCHEMES|INTERNAL SCHEME|LDAP SCHEME] TO <role_name>; -
To remove a role from a scheme:
REVOKE EXECUTE ON [ALL AUTHENTICATION SCHEMES|INTERNAL SCHEME|LDAP SCHEME] FROM <role_name>;
Prerequisites
-
Locate the
cassandra.yamlconfiguration file. The location of this file depends on your installation type.-
Package installations
-
Tarball installations
/etc/hcd/cassandra/cassandra.yamlINSTALLATION_LOCATION/resources/cassandra/conf/cassandra.yamlReplace INSTALLATION_LOCATION with the path where you extracted the HCD tarball.
-
-
Set
authorization_options.scheme_permissions: truein thecassandra.yamlfile. Once enabled, roles must be associated with an authentication scheme in order to be assigned.
|
Roles are resources that can be assigned to another role. Permissions are inherited, meaning that all the permissions from a resource role are granted to the target role. |
Add a role to an authentication scheme
-
Allow role assignment for users authenticating with any scheme:
GRANT EXECUTE ON ALL AUTHENTICATION SCHEMES TO <role_name>;
-
Allow role assignment only for users authenticating with LDAP:
GRANT EXECUTE ON LDAP SCHEME TO <role_name>; -
Allow role assignment only for users authenticating with internal:
GRANT EXECUTE ON INTERNAL SCHEME TO <role_name>;
-
Allowing role assignment for multiple schemes, such as users authenticating with internal or LDAP, requires executing multiple CQL statements:
GRANT EXECUTE ON INTERNAL SCHEME TO <role_name>; GRANT EXECUTE on LDAP SCHEME to <role_name>;
