OpsCenter access roles overview

DataStax Enterprise (DSE) customers have the ability to define custom, fine-grained access roles for their users. OpsCenter can be configured to require users to log in using OpsCenter authentication. Permissions to perform certain operations can be granted to each role, and a role can be assigned to users. A user can only be assigned one role, and each role applies to all clusters.

Authenticating with LDAP in OpsCenter requires defining roles for LDAP users. If using LDAP authentication, users can have multiple roles. Upon logging in, all permissions for each role a user is assigned to are merged.

Admin role privileges

The admin role is built-in to OpsCenter and cannot be edited or removed. By default, the admin role is the only role created automatically when authentication is enabled. Only users with the admin role can manage users and roles, add new clusters, or manually update definition files.

Changing the default admin password is strongly recommended the first time you log in.

Custom user role privileges

Only those assigned an admin role can manage roles. Each role represents permissions for all clusters managed by OpsCenter. Any functionality in OpsCenter that a user does not have permission for appears as gray and unavailable to that logged in user.

If using the OpsCenter API, users without sufficient permissions will receive an HTTP 401, Unauthorized response from the API.

Adding a cluster does not automatically add permissions for any existing roles. After adding a cluster, apply the permissions to the cluster for each role as appropriate for your organization.

In OpsCenter 6.5.3 and later, you must update custom scripts and applications that use the OpsCenter API if you want to use multiple user roles with LDAP authentication. If a custom script or application that uses the OpsCenter API did not account for multiple user roles, and a user has multiple roles, the script or application will fail because the role attribute cannot be found. The single role attribute will be provided for users that have only one role. If your application or script has users with only one role, then updates are not required for continued use.

Role permissions

When defining custom roles, each role can have specific permissions enabled for that role. Each user can only be assigned a single role, which contains permissions for all clusters managed by OpsCenter. If using LDAP authentication, users can have multiple roles. Use the Cluster menu to view permissions for each cluster for a selected role. To hide a cluster for users within a selected role, uncheck all permissions.

opscAddRole

Permission Description

Core functionality

View Cluster

Allows users to view a cluster in the Clusters area of the OpsCenter Monitoring UI.

Install Agents

Allows users to install or upgrade agents automatically or manually.

Edit Connection Settings

Allows users to edit the cluster connection settings for a DSE cluster monitored in OpsCenter.

Manage Alerts

Allows users to add alerts for monitoring conditions in DSE clusters.

Cluster Configuration

Allows users to configure the Performance Service.

Services

Backup Service

Allows users to perform backups and restores.

Best Practice Service

Allows users to configure and schedule Best Practice Service rules for managing DSE clusters.

Repair Service

Allows users to start, stop, and configure the Repair Service for running repairs on DSE clusters.

NodeSync Service

Allows authorized users to access status and configure settings for the NodeSync Service.

Performance Service Configuration

Allows users to configure the Performance Service.

Performance Service CQL Tracing

Allows users to trace slow CQL queries when troubleshooting query issues.

Node Operations

Start and Stop

Allows users to start and stop DSE nodes. Start and stop nodes from the Other Actions menu options available in the List view, or from the Actions menu in the Node Details view.

Cleanup

Allows users to run a cleanup on one or more keyspaces.

Compact

Allows users to run compaction on a keyspaces and their tables. Major compactions are not recommended unless there is a compelling reason to do so.

Drain

Allows users to drain a node. The Drain option is available from the Actions menu in the Node Details dialog view, and also available when restarting DSE on a node.

Flush

Allows users to flush a keyspace and its tables. Flushing a keyspace might affect system performance when there are many live, large memtables.

Garbage Collection

Allows users to perform garbage collection on nodes. Running GC causes a spike in latency.

Repair

Allows users to manually run an ad hoc repair operation on selected nodes in the List view.

Data

View Schema

Allows users to view the CQL statements for the schema in the Data workspace of OpsCenter Monitoring. Users must have the View Schema permission to view Tables, View UDT, View UDF, and View UDA. Those users without view schema permission are shown a message explaining they must have the role permission for viewing anything in the Data workspace, and to contact their OpsCenter administrator to obtain access privileges.

Modify Schema

Allows users to edit keyspace settings, delete keyspaces, or delete tables in the Data workspace of OpsCenter.

Truncate Data

Allows users to truncate data from a table. The Truncate link appears as gray and unavailable for users who do not have this permission granted for their role.

Cluster Topology

Add Nodes

Deprecated. Now users add nodes to an existing DSE cluster using Lifecycle Manager. Anyone assigned an admin role can use any feature of LCM.

Rebalance Cluster (non-vnode)

Allows users to rebalance a non-vnode cluster. Not applicable to vnodes.

Move

Allows users to move a node, enter a new token, and assign the new token to the node. During a move node operation, the node is unavailable and cluster performance might be affected. Not applicable to vnodes. Access the Move option from the Other Actions menu available in the List view, or from the Actions menu in the Node Details dialog view.

Decommission

Allows users to decommission a node from the Actions menu in the Node Details dialog view.

Remove Tokens

Allows removing tokens using the APIs.