Controlling access to DataStax Studio

Assign access privileges to roles for DataStax Studio use.

Assign access privileges to roles for DataStax Studio management.

Permissions and syntax

Setting access to DataStax Studio using the following syntax:
  • Allow access for DataStax Studio use:
    GRANT permission_name 
    ON keyspace_name.table_name 
    TO role_name;
  • Remove access to DataStax Studio use:
    REVOKE permission_name 
    ON keyspace_name.table_name
    FROM role_name;
Table 1. Studio permissions
permission_name CQL command Description
SELECT GRANT, and REVOKE Perform select operations for CQL and Graph commands in Studio.
EXECUTE GRANT and REVOKE Perform execute operations for REMOTE OBJECT DseClientTool.
PROXY.EXECUTE GRANT, and REVOKE Permission to execute AlwaysOn Spark SQL (AOSS) in Studio.

Requirements to GRANT/REVOKE Studio permissions

Roles that manage Studio permissions must have AUTHORIZE on the Studio resources:
  • Manage permissions for all search indexes:
    GRANT AUTHORIZE FOR permission_name
    ON KEYSPACE required_keyspaces  
    TO role_name;
  • Limit permissions to manage permissions to individual tables:
    GRANT AUTHORIZE FOR permission_name
    ON required_keyspaces 
    TO role_name;
Note: Superuser roles have permission to perform any action; therefore do not require explicitly granting authorize for a permission on Studio resource.

Procedure

  • A Studio user must have the following SELECT permissions:
    GRANT SELECT ON system_auth.roles to studio_role;
    This permission allows validation of the CQL role settings for studio_role.
  • A Studio user must have the following SELECT permissions to access DataStax Graph schema views:
    GRANT SELECT ON system_schema.vertices to studio_role;
    GRANT SELECT ON system_schema.edges to studio_role;
    These permissions are available by default, unless the system_schema keyspace has had permissions altered.
  • If DSE Search is used for any data in Studio, the following permission is required to access the search resources and display search indexes:
    GRANT SELECT ON solr_admin.solr_resources to studio_role;
  • The following permissions are required if AlwaysOn SparkSQL is used in Studio, to determine AOSS status,display SparkSQL cached tables in the schema view, identify the current datacenter for the SparkSQL cached tables, and identify DataStax Graph and AOSS host servers:
    GRANT SELECT ON dse_analytics.alwayson_sql_info to studio_role;	
    GRANT SELECT ON dse_analytics.alwayson_cache_table to studio_role;
    GRANT SELECT ON system.local to studio_role;
    Permissions to system.local are available by default, but the role may need permission granted.
  • Additional permissions required if AlwaysOn Spark SQL is used in Studio identify the current datacenter for the SparkSQL cached tables, and identify DataStax Graph and AOSS host servers:
    GRANT EXECUTE ON REMOTE OBJECT DseClientTool to studio_role;
  • Lastly, SparkSQL queries will not execute and no error will be displayed if this last permission is not set:
    GRANT PROXY.EXECUTE ON ROLE studio_role TO alwayson_sql;