About roles

Define roles and configure permissions to control access to database resources for authenticated users.

Role-based access control (RBAC) is only available after completing Enabling DSE Unified Authentication.

A role is a database resource to which privileges to access other database resources are assigned. A role is also an individual user for authentication purposes when using the internal authentication scheme. To execute CQL commands in DSE authorization enabled environments, a user must have at least one role with login privileges.

Understanding role assignment

The DSE Role Manager mode effects how a role is assigned to an authenticated user:
  • internal: Uses a primary role for each individual user and is a 1-to-1 mapping. A role is assigned by matching the authenticated user name to a role name.

    Manage permissions by nesting roles. Use GRANT role_name TO role_name to give all the permissions of the first role to the second role.

  • ldap: Uses LDAP group membership and is a 1-to-many mapping. The DSE Role Manager looks up the user in LDAP and returns a list of groups. Users are assigned all the roles that match their group name. Roles for each individual user are not required and the users DSE role automatically changes as LDAP group membership changes.

    Manage permissions for each group. DSE disables nested roles when LDAP mode is selected; using GRANT role_name TO role_name results in an error.

Note: Configure the assignment method by setting role_management_options mode in the dse.yaml.

dse.yaml

The location of the dse.yaml file depends on the type of installation:

Package installations
Installer-Services installations

 /etc/dse/dse.yaml

Tarball installations
Installer-No Services installations

 installation_location/resources/dse/conf/dse.yaml

Use the CQL CREATE ROLE, ALTER ROLE, and DROP ROLE commands to manage roles.

Managing roles

Creating a role to manage access to database objects is a two step process, first you CREATE ROLE and then you GRANT permissions on a resource.

Use the CQL CREATE ROLE, ALTER ROLE, and DROP ROLE commands to manage roles using the following syntax: 
(CREATE | ALTER | DROP ) role_name 
 [WITH (LOGIN = true | SUPERUSER = true | password = 'password')];
Role properties:
  • SUPERUSER: (Default: false) Execute ALL CQL commands, equivalent to a root account.

    DataStax recommends giving superuser status only to a limited number of users and managing superuser authentication with the internal scheme. When using LDAP group management (role_management_options.mode: ldap), to prevent unintentional role assignment, set authentication_options. scheme_permissions: true and bind the superuser role to the internal scheme (see Binding a role to an authentication scheme).

  • LOGIN: (Default: false) Required to execute CQL requests.

    When managing permissions using roles as an assignable permission set, the permission set role does not require login.

  • PASSWORD: (Default: null) Stores a bcrypt-salted hash password for the role in the system_auth keyspace; a role that has a password represents an individual user that can authenticate against the internal scheme (also requires LOGIN = true).
Use the LIST ROLES command to show all roles that you have describe permission on or all roles assigned to a role.
LIST ROLES [of role_name];
Note: Only SUPERUSER roles or roles with CREATE, ALTER, and DROP permission can manage roles.

Permissions to create, modify, and drop roles

To manage roles the following permissions are required:
Table 1. Role management permissions
Permission Database resource Description
ALTER ALL ROLES | ROLE role_name ALTER ROLE on all roles or specified role.
CREATE ALL ROLES | ROLE role_name CREATE ROLE with any name or only create a role with specific name, automatically is granted AUTHORIZE on the new role.
DESCRIBE ALL ROLES | ROLE role_name LIST privilege on all roles or only roles granted to another, specified role.
DROP ALL ROLES | ROLE role_name DROP ROLE on any role or permission to drop a specific role.

Permissions to manage access control

In order to manage permissions, the role with the GRANT or REVOKE command must have AUTHORIZE permission on both the target role and the resource.

To allow a role to manage permissions of a database object:
GRANT AUTHORIZE on resource_name to management_role;
To allow a role to manage permissions of a role:
GRANT AUTHORIZE on target_role to management_role;
To allow a role to create proxy roles:
GRANT AUTHORIZE on proxy_role to management_role;
GRANT AUTHORIZE on application_role to management_role

where AUTHORIZE gives GRANT and REVOKE permission to the role for managing permissions of other roles, resource_name is any database resources, see database resources.

Restriction: The following rules apply when managing roles and access to database objects:
  • Creating a new role requires CREATE permission on all roles. The role used to create a role automatically gets permissions to AUTHORIZE the role.
  • GRANT/REVOKE requires AUTHORIZE permission on the target role and database resource.
  • A role can only modify roles other than itself. Prevents users with ALTER permissions from making their own account a SUPERUSER or creating a role with a higher level of permission.