Granting permission when role-based access control is enabled
Instructions for creating roles with required permissions when authentication is enabled for OpsCenter.
When Cassandra role-based access control (RBAC) is enabled, a default account is
created with username cassandra
and password
cassandra
. Create additional roles with permissions for the
OpsCenter cluster and the monitored DataStax Enterprise (DSE) cluster. The Cassandra
role used for the agent should have ALL
permissions for the
OpsCenter keyspace and DESCRIBE
and SELECT
for the
monitored DSE cluster.
Procedure
-
Create
opscenter
role withSELECT
permissions for the monitored DSE cluster:CREATE ROLE opscenter WITH PASSWORD = 'opscenter' AND SUPERUSER = false AND LOGIN = true; GRANT SELECT ON TABLE system.local TO opscenter; GRANT SELECT ON TABLE system.peers TO opscenter;
-
Create
agent
role withSELECT
permissions for the monitored DSE cluster:CREATE ROLE agent WITH PASSWORD = agent AND SUPERUSER = false AND LOGIN = true; GRANT SELECT ON TABLE system.local TO agent; GRANT SELECT ON TABLE system.peers TO agent; GRANT SELECT ON TABLE dse_perf.node_slow_log TO agent;
-
Create
opscenter
role withALL
permissions.- For an OpsCenter keyspace in the monitored DSE
cluster:
CREATE ROLE opscenter WITH PASSWORD = 'opscenter' AND SUPERUSER = false AND LOGIN = true; GRANT ALL ON KEYSPACE opscenter_keyspace TO opscenter;
- For a separate OpsCenter storage
cluster:
CREATE ROLE agent WITH PASSWORD = agent AND SUPERUSER = false AND LOGIN = true; GRANT ALL ON KEYSPACE opscenter_keyspace TO agent;
- For an OpsCenter keyspace in the monitored DSE
cluster:
- Optional:
If you plan to enable or disable NodeSync for specific tables using OpsCenter NodeSync Service, grant the
opscenter
role withALTER
permissions for those tables:GRANT ALTER ON TABLE keyspace_name.table_name TO opscenter;
- Optional:
To allow OpsCenter to restore DSE
Graphs, grant the
opscenter
role withMODIFY
,SELECT
, andALTER
permissions fordse_system.shared_data
:GRANT MODIFY, SELECT, ALTER ON TABLE dse_system.shared_data TO opscenter;
- Optional:
For DSE Search clusters, grant the
agent
role withSELECT
andMODIFY
permissions forsolr_admin.solr_resources
:GRANT SELECT, MODIFY ON TABLE solr_admin.solr_resources TO agent;