Granting permission when role-based access control is enabled

About this task

When Cassandra role-based access control (RBAC) is enabled, a default account is created with username cassandra and password cassandra. Create additional roles with permissions for the OpsCenter cluster and the monitored DataStax Enterprise (DSE) cluster. The Cassandra role used for the agent should have ALL permissions for the OpsCenter keyspace and DESCRIBE and SELECT for the monitored DSE cluster.

Procedure

  • Create opscenter role with SELECT permissions for the monitored DSE cluster:

    CREATE ROLE opscenter WITH PASSWORD = 'opscenter' AND SUPERUSER = false AND LOGIN = true;
GRANT SELECT ON TABLE system.local TO opscenter;
GRANT SELECT ON TABLE system.peers TO opscenter;

  • Create agent role with SELECT permissions for the monitored DSE cluster:

    CREATE ROLE agent WITH PASSWORD = agent AND SUPERUSER = false AND LOGIN = true;
GRANT SELECT ON TABLE system.local TO agent;
GRANT SELECT ON TABLE system.peers TO agent;
GRANT SELECT ON TABLE dse_perf.node_slow_log TO agent;

  • Create opscenter role with ALL permissions.

    • For an OpsCenter keyspace in the monitored DSE cluster:

      CREATE ROLE opscenter WITH PASSWORD = 'opscenter' AND SUPERUSER = false AND LOGIN = true;
GRANT ALL ON KEYSPACE opscenter_keyspace TO opscenter;

    • For a separate OpsCenter storage cluster:

      CREATE ROLE agent WITH PASSWORD = agent AND SUPERUSER = false AND LOGIN = true;
GRANT ALL ON KEYSPACE opscenter_keyspace TO agent;

  • If you plan to enable or disable NodeSync for specific tables using OpsCenter NodeSync Service, grant the opscenter role with ALTER permissions for those tables:

    GRANT ALTER ON TABLE keyspace_name.table_name TO opscenter;

  • To allow OpsCenter to restore DataStax Graphs for DSE 6.7 and earlier, grant the opscenter role with MODIFY, SELECT, and ALTER permissions for dse_system.shared_data:

    GRANT MODIFY, SELECT, ALTER ON TABLE dse_system.shared_data TO opscenter;

  • To allow OpsCenter to restore DataStax Graphs for DSE 6.8, grant the opscenter role with UPDATE, SELECT, and ALTER permissions for dse_system.shared_data:

    GRANT UPDATE, SELECT, ALTER ON TABLE dse_system.shared_data TO opscenter;

  • For DSE 6.7 and earlier Search clusters, grant the agent role with SELECT and MODIFY permissions for solr_admin.solr_resources:

    GRANT SELECT, MODIFY ON TABLE solr_admin.solr_resources TO agent;

  • For DSE 6.8 Search clusters, grant the agent role with SELECT and UPDATE permissions for solr_admin.solr_resources:

    GRANT SELECT, UPDATE ON TABLE solr_admin.solr_resources TO agent;

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com