Authorize HCD client-tool and Spark

This document describes how to authorize HCD client tools and external Spark components to access the database with proper authentication and permissions. HCD is "bring your own Spark" - it does not include its own Spark distribution.

Prerequisites

  • HCD cluster is running and accessible

  • Authentication is enabled on the cluster

  • User has administrative privileges to create roles and grant permissions

Create roles for client tools

Create specific roles for different client tools:

-- Role for HCD client tools
CREATE ROLE hcd_client_tool;

-- Role for Spark applications
CREATE ROLE spark_app;

-- Role for external Spark applications
CREATE ROLE external_spark;

Grant permissions

Grant appropriate permissions to each role:

-- Grant permissions to HCD client tool role
GRANT SELECT ON ALL KEYSPACES TO hcd_client_tool;
GRANT MODIFY ON ALL KEYSPACES TO hcd_client_tool;

-- Grant permissions to Spark application role
GRANT SELECT ON ALL KEYSPACES TO spark_app;
GRANT MODIFY ON ALL KEYSPACES TO spark_app;
GRANT CREATE ON ALL KEYSPACES TO spark_app;

-- Grant permissions to external Spark applications role
GRANT SELECT ON ALL KEYSPACES TO external_spark;
GRANT MODIFY ON ALL KEYSPACES TO external_spark;
GRANT CREATE ON ALL KEYSPACES TO external_spark;
GRANT DROP ON ALL KEYSPACES TO external_spark;

Configure authentication

Ensure that the client tools are configured to use the appropriate authentication method:

  • Internal Authentication: Use username/password

  • LDAP Authentication: Configure LDAP connection settings

  • OIDC Authentication: Configure OIDC provider settings

Test authorization

Verify that the authorization is working correctly:

-- Test connection with client tool role
cqlsh -u hcd_client_tool -p password

-- Test Spark connection
-- Use appropriate Spark configuration with authentication

Security considerations

The following are security considerations for authorizing HCD client tools and external Spark components:

  • Use strong passwords for all roles.

  • Regularly rotate credentials.

  • Monitor access logs for suspicious activity.

  • Grant only necessary permissions to each role.

  • Consider using SSL/TLS for all connections.

Troubleshooting

The following are common issues that you may encounter:

  • Authentication failures: Verify credentials and authentication configuration

  • Permission denied errors: Check role permissions and ensure proper grants

  • Connection timeouts: Verify network connectivity and firewall settings

Check the following logs for authentication and authorization issues:

  • HCD system logs

  • Authentication service logs

  • Client tool logs

See also

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com