Data resources
Syntax for authorizing access to keyspaces, tables, rows, and types.
dse.yaml
The location of the dse.yaml file depends on the type of installation:Package installations | /etc/dse/dse.yaml |
Tarball installations | installation_location/resources/dse/conf/dse.yaml |
Data resources are keyspaces, types, table, and rows. Access is controlled using modelled hierarchy. Granting and revoking a privilege on a top level object automatically allows the same permission on all ancestors.
Data resources have the following hierarchy:
Synopsis
Use the following syntax for data resource access control:
- ALL KEYSPACES
syntax:
GRANT permission[, permission ...] ON ALL KEYSPACES TO role_name;
Where permissions are ALL PERMISSIONS, CREATE, DESCRIBE, DROP, MODIFY, and SELECT. - KEYSPACE
syntax:
GRANT permission[, permission ...] ON KEYSPACE keyspace_name TO role_name;
Where permissions are ALL PERMISSIONS, CREATE, DESCRIBE, DROP, MODIFY, and SELECT.Note: User-defined type access control is the same as the privilege the role has on the keyspace. - TABLE
syntax:
GRANT permission[, permission ...] ON [TABLE] keyspace_name.table_name TO role_name;
Where privileges are ALL PERMISSIONS, DROP, MODIFY, and SELECT. - ROWS
syntax:
GRANT permission[, permission ...] ON 'filter_text' ROWS IN keyspace_name.table_name TO role_name;
Where privileges are ALL PERMISSIONS, MODIFY and SELECT.Note: Row-level access control (RLAC) is disabled by default. To use RLAC, set /en/dse/6.0/dse-admin/datastax_enterprise/config/configDseYaml.html#configDseYaml__allow_row_level_security parameter to true in the dse.yaml.
Permission matrix
The following table describes the CQL statements enabled on the resource when a privilege
is granted to a role :
Privilege type | Resource names | Permissions |
---|---|---|
ALL PERMISSIONS | ALL KEYSPACES | CREATE KEYSPACE and DROP KEYSPACE, as well as all permissions on ancestor objects described in CREATE, ALTER, AUTHORIZE, DESCRIBE, DROP, MODIFY, and SELECT privilege. |
ALL PERMISSIONS | KEYSPACE | ALTER, AUTHORIZE, DESCRIBE, and SELECT privileges on the keyspace and CREATE, ALTER, AUTHORIZE, DESCRIBE, DROP, and SELECT privileges on types, tables, and rows. |
ALL PERMISSIONS | TABLE | MODIFY, SELECT, and AUTHORIZE privileges on the table and all privileges on rows. |
ALL PERMISSIONS | ROWS | MODIFY and SELECT privileges on the rows that match the filtering text. |
ALTER | ALL KEYSPACES | ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, RESTRICT ROWS, and UNRESTRICT ROWS. |
ALTER | KEYSPACE | |
ALTER | TABLE | ALTER TABLE, RESTRICT ROWS, and UNRESTRICT ROWS. |
CREATE | ALL KEYSPACES | CREATE KEYSPACE, CREATE TABLE and CREATE TYPE. Note: Creating a resource automatically grants
AUTHORIZE permission to the role that created it. |
CREATE | KEYSPACE | CREATE TABLE and CREATE TYPE in specified keyspace. |
CREATE | TABLE | CREATE TABLE in specified keyspace. |
DESCRIBE | ALL KEYSPACES | DESCRIBE KEYSPACE, DESCRIBE TABLE, and DESCRIBE TYPE in any keyspace |
DESCRIBE | KEYSPACE | DESCRIBE KEYSPACE, DESCRIBE TABLE, and DESCRIBE TYPE, and DESCRIBE FUNCTION, and DESCRIBE AGGREGATE in specified keyspace |
DROP | ALL KEYSPACES | DROP KEYSPACE, DROP TABLE, and DROP TYPE in any keyspace |
DROP | KEYSPACE | DROP TABLE, and DROP TYPE in specified keyspace |
DROP | TABLE | DROP TABLE |
MODIFY | ALL KEYSPACES | INSERT, UPDATE, DELETE and TRUNCATE on all tables. |
MODIFY | KEYSPACE | INSERT, UPDATE, DELETE and TRUNCATE on any table in specified keyspace. |
MODIFY | TABLE | INSERT, UPDATE, DELETE and TRUNCATE on specified table. See note for tables with materialized views (MVs). |
MODIFY | ROWS | INSERT, UPDATE, DELETE on the partition that matches the 'filtering_data' for the table. |
SELECT | ALL KEYSPACES | SELECT on any table. |
SELECT | KEYSPACE | SELECT on any table in specified keyspace. |
SELECT | TABLE | SELECT on specified table. |
SELECT | ROWS | SELECT on rows that exactly match the 'filtering_data' in specified table. |
Note: To modify a base table that has a materialized view (MV) using an
INSERT
or UPDATE
command if access permissions are enabled, a user must
be granted MODIFY
or ALL PERMISSIONS
on the base
table.