Functions and aggregate resources

Syntax for authorizing access to user defined function and aggregate.

cassandra.yaml

The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra.yaml
Tarball installations installation_location/resources/cassandra/conf/cassandra.yaml
The function syntax applies to user defined functions and aggregates. Although user defined functions and aggregates are located in a keyspace, function permissions are distinct and must be applied separately. Access is controlled using modelled hierarchy. Granting and revoking a privilege on a top level object automatically allows the same permission on all ancestors.
Restriction: User defined functions are only available in environments that have set to true in the cassandra.yaml file.

Functions have the following hierarchy.

Synopsis

Use the following syntax to control access to functions:
  • ALL FUNCTIONS syntax:
    GRANT privilege_list 
    ON ALL FUNCTIONS 
    TO role_name;
    where the privileges are ALL PERMISSIONS, ALTER, CREATE, DROP, and EXECUTE
  • ALL FUNCTIONS IN KEYSPACE syntax:
    GRANT privilege_list 
    ON ALL FUNCTIONS IN KEYSPACE keyspace_name 
    TO role_name;
    where the privileges are ALL PERMISSIONS, ALTER, CREATE, DROP, and EXECUTE
  • FUNCTION syntax:
    GRANT privilege_list 
    ON FUNCTION function_name ( argument_types ) 
    TO role_name;
    where the function name is fully qualified and the privileges are ALL PERMISSIONS, ALTER, DROP, and EXECUTE
Revoke permission syntax:
REVOKE permission_list 
ON resource 
FROM role_name; 

Permission matrix

When a permission is granted to a role, users are able to perform the corresponding operations.
privilege_name resource_name Permissions
ALL PERMISSIONS ALL FUNCTIONS All operations (ALTER, CREATE, DROP, and EXECUTE permissions) on all functions in all keyspaces.
ALL PERMISSIONS ALL FUNCTIONS IN KEYSPACE All operations (ALTER, CREATE, DROP, and EXECUTE) on all functions in the selected keyspace.
ALL PERMISSIONS FUNCTION All operations (ALTER, DROP, and EXECUTE) on the selected function.
ALTER ALL FUNCTIONS CREATE OR REPLACE FUNCTION and CREATE OR REPLACE AGGREGATE on existing functions in all keyspaces.
ALTER ALL FUNCTIONS IN KEYSPACE keyspace_name CREATE OR REPLACE FUNCTION and CREATE OR REPLACE AGGREGATE on existing functions in a specific keyspace.
ALTER FUNCTION function_name CREATE OR REPLACE FUNCTION and CREATE OR REPLACE AGGREGATE on an existing function.
CREATE ALL FUNCTIONS and in all keyspaces.
CREATE ALL FUNCTIONS IN KEYSPACE keyspace_name and in specified keyspace.
DROP ALL FUNCTIONS and in all keyspaces.
DROP ALL FUNCTIONS IN KEYSPACE keyspace_name and in specified keyspace.
DROP FUNCTION function_name or specified function.
EXECUTE ALL FUNCTIONS Use a function or aggregate in SELECT, INSERT, and UPDATE in all keyspaces. Create an aggregate that contains a function.
EXECUTE ALL FUNCTIONS IN KEYSPACE keyspace_name Use a function or aggregate in SELECT, INSERT, and UPDATE in a keypsace. Create an aggregate that contains a function in the keyspace.
EXECUTE FUNCTION function_name SELECT, INSERT and UPDATE using specified function and use of the function in CREATE AGGREGATE.