Authorizing remote procedure calls for CQL execution
Steps to configure RPC permissions for external clients.
DataStax Enterprise supports authentication and role-based access control for Remote Procedure Calls to the DSE database.
CALL Object.Method(parameter1, parameter2)
RPC permissions
RPC permissions are role-based to provide fine-grained control over which roles can execute which commands. The GRANT and REVOKE CQL commands provide and revoke access to objects and methods.
DataStax Enterprise supports this CQL syntax incqlsh
to grant RPC permissions:
GRANT permission ON ALL REMOTE CALLS TO role;
GRANT EXECUTE ON REMOTE OBJECT object TO role;
GRANT EXECUTE ON REMOTE METHOD object.method TO role;
cqlsh
to revoke RPC
permissions:REVOKE EXECUTE ON ALL REMOTE CALLS FROM role;
REVOKE EXECUTE ON REMOTE OBJECT object FROM role;
REVOKE EXECUTE ON REMOTE METHOD object.method FROM role;
where:EXECUTE
is the only permission that applies to RPC. For more details, see the Access Control Matrix.- role is the role to grant or revoke authorization.
Granting RPC permissions to DseClientTool
GRANT EXECUTE ON REMOTE OBJECT DseClientTool TO USER;
DseClientTool
object depends on the intended usage. Starting in DSE 5.1,
the dse client-tool spark master-address
command does not need any
permission because it does not perform any operation. This command does not return the
current Spark Master address. Spark may connect to any node in DSE.However, the
dse client-tool spark leader-address
command, which returns the actual
Spark Master address, executes a remote command and it needs the RPC
permission.
com.datastax.driver.core.exceptions.UnauthorizedException: User X has no EXECUTE permission on <rpc method DseClientTool.getSparkMasterAddress> or any of its parents
To
resolve the problem, set RPC permissions for the DseClientTool object. For
example:GRANT EXECUTE ON REMOTE OBJECT DseClientTool TO ADMINROLE;
Managing the permissions of a large number of users can be considerably simplified through the reuse of a small number of high-level roles.