Configuring row-level access control

Enable row-level access control (RLAC) in LCM for DSE clusters that have tables with row-level permissions required for user access.

Row-level access control (RLAC) enforces authorization policies to data within a table by matching a filter, such as a user or company name, applied to a text-based partition key. RLAC provides more granular security for tables so that only authorized users can view or modify subsets of the data. The RLAC feature is useful for multi-tenant applications.

Enable row-level access control in LCM for DSE clusters that have tables with row-level permissions required for access. Follow these steps to make Lifecycle Manager (LCM) aware of and allow use of RLAC configured for DataStax Enterprise (DSE) clusters provisioned and managed by LCM.
Note: RLAC is supported in DSE 5.1 and later, and LCM 6.1 and later.

Procedure

  1. Click Config Profiles from the Lifecycle Manager navigation menu.
  2. Click the edit icon for the configuration profile to edit, or click Add config profile if you have not already created a profile.
  3. In the Config Profile pane under the Cassandra section, select cassandra.yaml.
  4. In the Security pane, verify the following selections:
    1. Ensure that the authenticator setting is DseAuthenticator.
    2. Ensure that the authorizer setting is DseAuthorizer.

    Set authorizer and authenticator security in cassandra.yaml in LCM config profile

  5. In the Config Profile pane under the Cassandra section, select dse.yaml.
  6. Scroll to the DSE Authorizer Options pane and make the following selections:
    1. Select enabled for authorization options.
    2. Select allow_row_level_security.

    Allow row level security setting in DSE Authorizer Options in dse.yaml in LCM config profile

  7. Click Save to save the Config Profile.

What's next

  1. Go to the Clusters workspace in Lifecycle Manager and select the configuration profile to apply at the cluster, datacenter, or node level. Nodes can inherit configuration profile settings from the cluster or datacenter levels, or have settings at the node level that take precedence.
  2. Run a configuration job to push the configuration to all applicable nodes.
  3. Restrict the applicable tables rows and grant permissions to the applicable role names using GRANT or REVOKE statements as required for your environment. For details and an example, see Setting up Row Level Access Control (RLAC).
  4. Log in as each user role and run queries to confirm that results represent your defined access permissions.