Controlling access to DataStax Graph keyspaces
Manage permission to access DataStax Graph data.
Assign access privileges to roles for graph management.
Permissions and syntax
DataStax Graph authentication and authorization is accomplished with either CQL
authorization or DSE Unified Authentication. Setting access to graphs using
the following syntax:
- Allow access to a graph or vertex label/edge
label:
GRANT permission_name ON KEYSPACE graph_name | [graph_name.]label_table_name) TO role_name;
- Remove access to a
graph:
REVOKE permission_name ON KEYSPACE graph_name | [graph_name.]Label_table_name) TO role_name;
Requirements to GRANT/REVOKE Graph permissions
Roles that manage Graph permissions must have AUTHORIZE on the search index
resource:
- Manage permissions for a
graph:
GRANT AUTHORIZE FOR permission_name ON KEYSPACE graph_name TO role_name;
- Limit permissions to manage permissions to individual vertex label/edge
label
table:
GRANT AUTHORIZE FOR permission_name ON SEARCH INDEX [keyspace_name.]table_name TO role_name;
Note: Superuser roles have permission to perform any action; therefore do not
require explicitly granting authorize for a permission on Graph
resource.
Procedure
-
A Studio user must have the following SELECT permissions:
This permission allows validation of the CQL role settings for graph_role.GRANT SELECT ON system_auth.roles to graph_role;
-
A Graph user must have the following SELECT permissions, set by default, to
access DataStax Graph schema views:
These permissions will only need to be granted in a non-default cluster where system keyspace filtering is configured.GRANT SELECT ON system_schema.vertices to graph_role; GRANT SELECT ON system_schema.edges to graph_role;
-
If DSE Search is used for any data in Studio, the following permission is
required to access the search resources and display search indexes:
GRANT SELECT ON solr_admin.solr_resources to graph_role;
-
The following permissions are required if AlwaysOn SparkSQL is used with Graph,
to determine AOSS status,display SparkSQL cached tables in the schema view,
identify the current datacenter for the SparkSQL cached tables, and identify
DataStax Graph and AOSS host servers:
GRANT SELECT ON dse_analytics.alwayson_sql_info to graph_role; GRANT SELECT ON dse_analytics.alwayson_cache_table to graph_role;