Creating roles for Kerberos principals

Create roles to match Kerberos principal name.

When using Role Management mode internal, create a role that matches the user's principal name to allow them to log in and execute CQL requests.

Note: DSE supports Kerberos authentication with LDAP role management, when the principal name matches the email address attribute of the LDAP user. Configure the group lookup with the user_memberof_attribute option.

Procedure

  1. Create a role that matches the principal name, including the Kerberos REALM, with login enabled:
    CREATE ROLE "user_name@REALM" 
    WITH LOGIN = true;
    • user_name@REALM - The complete user principal name. Always enclose the role names that include uppercase or special characters in double quotes.
    • LOGIN = true - Allows the role to access the database.
    • (Optional) SUPERUSER = true - Gives full access to all database objects to the user. See Creating superuser accounts.
  2. Bind the assignment to an authentication scheme:
    GRANT EXECUTE 
    ON KERBEROS SCHEME 
    TO 'user_name@REALM';

    Enclose the role name in single quotes, the name is case-sensitive.

  3. To allow another role to manage the new role:
    GRANT AUTHORIZE FOR ALTER, DROP
                                ON new_role_name 
                                TO management_role;
    Tip: All superusers have authorize permissions on all roles. And the role that created the role is granted all permissions on the role.

task_postreq

Assign permissions to the role, see Authorizing access to database resources.