Restricting access to data

Denies permission on a resource, even if the privilege has been directly granted, inherited, or superuser role.

The RESTRICT command denies permission on a resource to the role. The user is denied access even if the role is a superuser, the privilege has been granted directly to the role or was inherited. Use UNRESTRICT to remove any restrictions the role has on the database resource.

A superuser role has full access to the database. Use restrict to create database administrator accounts that are able to manage database resources and roles but are unable to see or modify data.

Note: GRANT and REVOKE only allow access to database resources that are UNRESTRICT.

Procedure

  1. Log in to CQLSH with a superuser role.
    cqlsh -u username
    CAUTION: Logging in with the default role cassandra may impact performance or fail. All requests including login are executed with consistency QUORUM.
  2. Create a superuser account with login enabled.
    CREATE ROLE IF NOT EXISTS db_admin 
    WITH superuser = true
      AND login = true 
      AND password = 'anypasswordwilldo';
    Note: A password is required for internal accounts but not for LDAP or Kerberos.
  3. Restrict the role from accessing the data in the cycling keyspace:
    RESTRICT MODIFY, SELECT
    ON KEYSPACE cycling
    TO db_admin;
  4. Verify the restriction:
    SELECT role, resource, restricted
    FROM system_auth.role_permissions 
    WHERE role = 'db_admin';
    The results show the permissions denied to the role.
     role     | resource     | restricted
    ----------+--------------+----------------------
     db_admin | data/cycling | {'MODIFY', 'SELECT'}
    
    (1 rows)