About roles
Define roles and configure permissions to control access to database resources for authenticated users.
dse.yaml
The location of the dse.yaml file depends on the type of installation:
Package installations |
/etc/dse/dse.yaml |
Tarball installations |
installation_location/resources/dse/conf/dse.yaml |
Role-based access control (RBAC) is only available after completing Enabling DSE Unified Authentication.
A role is a database resource to which privileges to access other database resources are assigned. A role is also an individual user for authentication purposes when using the internal authentication scheme. To execute CQL commands in DSE authorization enabled environments, a user must have at least one role with login privileges.
Understanding role assignment
- internal: Uses a primary role for each individual user and is a
1-to-1 mapping. A role is assigned by matching the authenticated user name
to a role name.
Manage permissions by nesting roles. Use
GRANT role_name TO role_name
to give all the permissions of the first role to the second role. - ldap: Uses LDAP group membership and is a 1-to-many mapping. The DSE
Role Manager looks up the user in LDAP and returns a list of groups. Users
are assigned all the roles that match their group name. Roles for each
individual user are not required and the users DSE role automatically
changes as LDAP group membership changes.
Manage permissions for each group. DSE disables nested roles when LDAP mode is selected; using
GRANT role_name TO role_name
results in an error.
Use the CQL CREATE ROLE, ALTER ROLE, and DROP ROLE commands to manage roles.
Managing roles
Creating a role to manage access to database objects is a two step process, first you CREATE ROLE and then you GRANT permissions on a resource.
(CREATE | ALTER | DROP ) role_name
[WITH (LOGIN = true | SUPERUSER = true | password = 'password')];
- SUPERUSER: (Default: false) Execute ALL CQL commands, equivalent to a
root account.
DataStax recommends giving superuser status only to a limited number of users and managing superuser authentication with the internal scheme. When using LDAP group management (role_management_options.mode: ldap), to prevent unintentional role assignment, set authentication_options. scheme_permissions: true and bind the superuser role to the internal scheme (see Binding a role to an authentication scheme).
- LOGIN: (Default: false) Required to execute CQL requests.
When managing permissions using roles as an assignable permission set, the permission set role does not require login.
- PASSWORD: (Default: null) Stores a bcrypt-salted hash password for
the role in the
system_auth
keyspace; a role that has a password represents an individual user that can authenticate against the internal scheme (also requires LOGIN = true).
LIST ROLES [of role_name];
Permissions to create, modify, and drop roles
Permission | Database resource | Description |
---|---|---|
ALTER | ALL ROLES | ROLE role_name | ALTER ROLE on all roles or specified role. |
CREATE | ALL ROLES | ROLE role_name | CREATE ROLE with any name or only create a role with specific name, automatically is granted AUTHORIZE on the new role. |
DESCRIBE | ALL ROLES | ROLE role_name | LIST privilege on all roles or only roles granted to another, specified role. |
DROP | ALL ROLES | ROLE role_name | DROP ROLE on any role or permission to drop a specific role. |
Permissions to manage access control
In order to manage permissions, the role with the GRANT or REVOKE command must have
AUTHORIZE
permission on both the target role and the
resource.
GRANT AUTHORIZE on resource_name to management_role;
GRANT AUTHORIZE on target_role to management_role;
GRANT AUTHORIZE on proxy_role to management_role;
GRANT AUTHORIZE on application_role to management_role
where AUTHORIZE gives GRANT and REVOKE permission to the role for managing permissions of other roles, resource_name is any database resources, see database resources.
- Creating a new role requires CREATE permission on all roles. The role used to create a role automatically gets permissions to AUTHORIZE the role.
- GRANT/REVOKE requires AUTHORIZE permission on the target role and database resource.
- A role can only modify roles other than itself. Prevents users with ALTER permissions from making their own account a SUPERUSER or creating a role with a higher level of permission.