Functions and aggregate resources
Syntax for authorizing access to user defined function and aggregate.
cassandra.yaml
The location of the cassandra.yaml file depends on the type of installation:Package installations | /etc/dse/cassandra/cassandra.yaml |
Tarball installations | installation_location/resources/cassandra/conf/cassandra.yaml |
The function syntax applies to user defined functions and aggregates. Although user defined
functions and aggregates are located in a keyspace, function permissions are distinct and
must be applied separately. Access is controlled using modelled hierarchy. Granting
and revoking a privilege on a top level object automatically allows the same
permission on all ancestors.
Restriction: User defined functions are only available in environments that have
enable_user_defined_functions set to true in the
cassandra.yaml file.
Functions have the following hierarchy.
Synopsis
Use the following syntax to control access to functions:
- ALL FUNCTIONS
syntax:
GRANT privilege_list ON ALL FUNCTIONS TO role_name;
where the privileges are ALL PERMISSIONS, ALTER, CREATE, DROP, and EXECUTE - ALL FUNCTIONS IN KEYSPACE
syntax:
GRANT privilege_list ON ALL FUNCTIONS IN KEYSPACE keyspace_name TO role_name;
where the privileges are ALL PERMISSIONS, ALTER, CREATE, DROP, and EXECUTE - FUNCTION
syntax:
GRANT privilege_list ON FUNCTION function_name ( argument_types ) TO role_name;
where the function name is fully qualified and the privileges are ALL PERMISSIONS, ALTER, DROP, and EXECUTE
Revoke permission
syntax:
REVOKE permission_list
ON resource
FROM role_name;
Permission matrix
When a permission is granted to a role, users are able to perform the corresponding
operations.
privilege_name | resource_name | Permissions |
---|---|---|
ALL PERMISSIONS | ALL FUNCTIONS | All operations (ALTER, CREATE, DROP, and EXECUTE permissions) on all functions in all keyspaces. |
ALL PERMISSIONS | ALL FUNCTIONS IN KEYSPACE | All operations (ALTER, CREATE, DROP, and EXECUTE) on all functions in the selected keyspace. |
ALL PERMISSIONS | FUNCTION | All operations (ALTER, DROP, and EXECUTE) on the selected function. |
ALTER | ALL FUNCTIONS | CREATE OR REPLACE FUNCTION and CREATE OR REPLACE AGGREGATE on existing functions in all keyspaces. |
ALTER | ALL FUNCTIONS IN KEYSPACE keyspace_name | CREATE OR REPLACE FUNCTION and CREATE OR REPLACE AGGREGATE on existing functions in a specific keyspace. |
ALTER | FUNCTION function_name | CREATE OR REPLACE FUNCTION and CREATE OR REPLACE AGGREGATE on an existing function. |
CREATE | ALL FUNCTIONS | CREATE FUNCTION and CREATE AGGREGATE in all keyspaces. |
CREATE | ALL FUNCTIONS IN KEYSPACE keyspace_name | CREATE FUNCTION and CREATE AGGREGATE in specified keyspace. |
DROP | ALL FUNCTIONS | DROP FUNCTION and DROP AGGREGATE in all keyspaces. |
DROP | ALL FUNCTIONS IN KEYSPACE keyspace_name | DROP FUNCTION and DROP AGGREGATE in specified keyspace. |
DROP | FUNCTION function_name | DROP FUNCTION or DROP AGGREGATE specified function. |
EXECUTE | ALL FUNCTIONS | Use a function or aggregate in SELECT, INSERT, and UPDATE in all keyspaces. Create an aggregate that contains a function. |
EXECUTE | ALL FUNCTIONS IN KEYSPACE keyspace_name | Use a function or aggregate in SELECT, INSERT, and UPDATE in a keypsace. Create an aggregate that contains a function in the keyspace. |
EXECUTE | FUNCTION function_name | SELECT, INSERT and UPDATE using specified function and use of the function in CREATE AGGREGATE. |