Restricting access to data
Denies permission on a resource, even if the privilege has been directly granted or inherited.
The command denies permission on a resource to the role.
The user is denied access even if the privilege has been granted directly to the
role or was inherited.
Attention: However, regardless of how you use
RESTRICT
, an account with the superuser
role has full read/write access to the database. If your goal is that certain
database administrators should not be able to see or modify data, do not assign
superuser
to those accounts. Instead, use
RESTRICT
to create database administrator accounts that are
able to manage database resources and roles, but are unable to see or modify
data.Use to remove any restrictions the role has on the database resource.
Note: and only allow access to
database resources that are .
Procedure
-
Log in to CQLSH with a
superuser
role.cqlsh -u username
CAUTION: Logging in with the default rolecassandra
may impact performance or fail. All requests including login are executed with consistencyQUORUM
. -
Create an account with login enabled, but do not give this
db_admin
account thesuperuser
role.CREATE ROLE IF NOT EXISTS db_admin WITH superuser = false AND login = true AND password = 'anypasswordwilldo';
Note: A password is required for internal accounts but not for LDAP or Kerberos. -
Restrict the role from accessing the data in the cycling keyspace:
RESTRICT MODIFY, SELECT ON KEYSPACE cycling TO db_admin;
-
Verify the restriction:
SELECT role, resource, restricted FROM system_auth.role_permissions WHERE role = 'db_admin';
The results show the permissions denied to the role.role | resource | restricted ----------+--------------+---------------------- db_admin | data/cycling | {'MODIFY', 'SELECT'} (1 rows)