Authorizing remote procedure calls for CQL execution
Steps to configure RPC permissions for external clients.
DataStax Enterprise supports authentication and role-based access control for Remote Procedure Calls to the DSE database.
The syntax for remote calls for the specified procedure on the remote host
is:
CALL Object.Method(parameter1, parameter2)RPC permissions
RPC permissions are role-based to provide fine grained control over which roles can execute which commands. The GRANT and REVOKE CQL commands provide and revoke access to objects and methods.
DataStax Enterprise supports this CQL syntax in cqlsh to grant RPC permissions:GRANT permission ON ALL REMOTE CALLS TO role;
GRANT EXECUTE ON REMOTE OBJECT object TO role;
GRANT EXECUTE ON REMOTE METHOD object.method TO role;DataStax Enterprise supports this CQL syntax in cqlsh to revoke RPC
permissions:
REVOKE EXECUTE ON ALL REMOTE CALLS FROM role;
REVOKE EXECUTE ON REMOTE OBJECT object FROM role;
REVOKE EXECUTE ON REMOTE METHOD object.method FROM role;- EXECUTE is the only permission that applies to RPC, see the Access Control Matrix for more details
- role is the role to grant or revoke authorization to.
Granting RPC permissions to DseClientTool
You must configure RPC permissions for external clients to run the dse client-tool command and to launch
Spark:
GRANT EXECUTE ON REMOTE OBJECT DseClientTool TO USER;
Note: RPC permission for the
If access is attempted without permissions, you will see an error message
similar
to:DseClientTool object is required to run
Spark because the DseClientTool object is called implicitly by the Spark
launcher.com.datastax.driver.core.exceptions.UnauthorizedException: User X has no EXECUTE permission on <rpc method DseClientTool.getSparkMasterAddress> or any of its parentsGRANT EXECUTE ON REMOTE OBJECT DseClientTool TO ADMINROLE;
Managing the permissions of a large number of users can be considerably simplified through the reuse of a small number of high-level roles.