Authorizing remote procedure calls for CQL execution

Steps to configure RPC permissions for external clients.

DataStax Enterprise supports authentication and role-based access control for Remote Procedure Calls to the DSE database.

The syntax for remote calls for the specified procedure on the remote host is:
CALL Object.Method(parameter1, parameter2)

RPC permissions

RPC permissions are role-based to provide fine-grained control over which roles can execute which commands. The GRANT and REVOKE CQL commands provide and revoke access to objects and methods.

DataStax Enterprise supports this CQL syntax in cqlsh to grant RPC permissions:
GRANT permission ON ALL REMOTE CALLS TO role;
GRANT EXECUTE ON REMOTE OBJECT object TO role;
GRANT EXECUTE ON REMOTE METHOD object.method TO role;
DataStax Enterprise supports this CQL syntax in cqlsh to revoke RPC permissions:
REVOKE EXECUTE ON ALL REMOTE CALLS FROM role;
REVOKE EXECUTE ON REMOTE OBJECT object FROM role;
REVOKE EXECUTE ON REMOTE METHOD object.method FROM role;
where:
  • EXECUTE is the only permission that applies to RPC. For more details, see the Access Control Matrix.
  • role is the role to grant or revoke authorization.

Granting RPC permissions to DseClientTool

You can configure RPC permissions for external clients to run the dse client-tool command and to launch Spark:
GRANT EXECUTE ON REMOTE OBJECT DseClientTool TO USER;
Note: Whether RPC permission is required for the DseClientTool object depends on the intended usage. Starting in DSE 5.1, the dse client-tool spark master-address command does not need any permission because it does not perform any operation. This command does not return the current Spark Master address. Spark may connect to any node in DSE.

However, the dse client-tool spark leader-address command, which returns the actual Spark Master address, executes a remote command and it needs the RPC permission.

If access is attempted without permission, you will see an error message similar to:
com.datastax.driver.core.exceptions.UnauthorizedException: User X has no EXECUTE permission on <rpc method DseClientTool.getSparkMasterAddress> or any of its parents
To resolve the problem, set RPC permissions for the DseClientTool object. For example:
GRANT EXECUTE ON REMOTE OBJECT DseClientTool TO ADMINROLE;

Managing the permissions of a large number of users can be considerably simplified through the reuse of a small number of high-level roles.