Controlling access to DataStax Graph keyspaces

Manage permission to access DataStax Graph data.

Assign access privileges to roles for graph management.

Permissions and syntax

DataStax Graph authentication and authorization is accomplished with either CQL authorization or DSE Unified Authentication. Setting access to graphs using the following syntax:
  • Allow access to a graph or vertex label/edge label:
    GRANT permission_name 
    ON KEYSPACE graph_name | [graph_name.]label_table_name) 
    TO role_name;
  • Remove access to a graph:
    REVOKE permission_name 
    ON KEYSPACE graph_name | [graph_name.]Label_table_name) 
    TO role_name;

Requirements to GRANT/REVOKE Graph permissions

Roles that manage Graph permissions must have AUTHORIZE on the search index resource:
  • Manage permissions for a graph:
    GRANT AUTHORIZE FOR permission_name
    ON KEYSPACE graph_name  
    TO role_name;
  • Limit permissions to manage permissions to individual vertex label/edge label table:
    GRANT AUTHORIZE FOR permission_name
    ON SEARCH INDEX [keyspace_name.]table_name 
    TO role_name;
Note: Superuser roles have permission to perform any action; therefore do not require explicitly granting authorize for a permission on Graph resource.

Procedure

  • A Studio user must have the following SELECT permissions:
    GRANT SELECT ON system_auth.roles to graph_role;
    This permission allows validation of the CQL role settings for graph_role.
  • A Graph user must have the following SELECT permissions, set by default, to access DataStax Graph schema views:
    GRANT SELECT ON system_schema.vertices to graph_role;
    GRANT SELECT ON system_schema.edges to graph_role;
    These permissions will only need to be granted in a non-default cluster where system keyspace filtering is configured.
  • If DSE Search is used for any data in Studio, the following permission is required to access the search resources and display search indexes:
    GRANT SELECT ON solr_admin.solr_resources to graph_role;
  • The following permissions are required if AlwaysOn SparkSQL is used with Graph, to determine AOSS status,display SparkSQL cached tables in the schema view, identify the current datacenter for the SparkSQL cached tables, and identify DataStax Graph and AOSS host servers:
    GRANT SELECT ON dse_analytics.alwayson_sql_info to graph_role;	
    GRANT SELECT ON dse_analytics.alwayson_cache_table to graph_role;