CREATE ROLE

Creates a cluster wide database object used for access control.

Creates a cluster wide database object used for access control to database resources, such as keyspaces, tables, functions. Use roles to:

  • Define a set of permissions that can be assigned to other roles and mapped to external users.
  • Create login accounts for internal authentication. (Not recommended for production environments.)
Warning: A full access login account cassandra (password cassandra) is enabled by default; create your own full access role and drop the cassandra account.

Synopsis

CREATE ROLE [ IF NOT EXISTS ] role_name
  [ WITH [ SUPERUSER = ( true | false ) ] 
  [ [ AND ] LOGIN = ( true | false ) ] 
  ( WITH PASSWORD 'role_password' |
  WITH HASHED PASSWORD 'hashed_role_password' )
  [ [ AND ] OPTIONS = { option_map } ] ] ;
Table 1. Legend
Syntax conventions Description
UPPERCASE Literal keyword.
Lowercase Not literal.
Italics Variable value. Replace with a user-defined value.
[] Optional. Square brackets ( [] ) surround optional command arguments. Do not type the square brackets.
( ) Group. Parentheses ( ( ) ) identify a group to choose from. Do not type the parentheses.
| Or. A vertical bar ( | ) separates alternative elements. Type any one of the elements. Do not type the vertical bar.
... Repeatable. An ellipsis ( ... ) indicates that you can repeat the syntax element as often as required.
'Literal string' Single quotation ( ' ) marks must surround literal strings in CQL statements. Use single quotation marks to preserve upper case.
{ key : value } Map collection. Braces ( { } ) enclose map collections or key value pairs. A colon separates the key and the value.
<datatype1,datatype2> Set, list, map, or tuple. Angle brackets ( < > ) enclose data types in a set, list, map, or tuple. Separate the data types with a comma.
cql_statement; End CQL statement. A semicolon ( ; ) terminates all CQL statements.
[--] Separate the command line options from the command arguments with two hyphens ( -- ). This syntax is useful when arguments might be mistaken for command line options.
' <schema> ... </schema> ' Search CQL only: Single quotation marks ( ' ) surround an entire XML schema declaration.
@xml_entity='xml_entity_type' Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files.
role_name
Use a unique name for the role. DataStax Enterprise forces all names to lowercase; enclose in quotes to preserve case or use special characters in the name.
Note: To automatically map external users to roles with DSE Unified Authenticator, the role name must exactly match the LDAP group name, including case.
SUPERUSER
Attention: An account with the superuser role has full read/write access to the database. If your goal is that certain database administrators should not be able to see or modify data, do not assign superuser to those accounts. Instead, use RESTRICT to create database administrator accounts that are able to manage database resources and roles, but are unable to see or modify data. See Restricting access to data.

Default: false.

LOGIN
True allows the role to log in. Use true to create login accounts for internal authentication, PasswordAuthenticator, or DSE Unified Authenticator.

Default: false.

WITH PASSWORD | WITH HASHED PASSWORD

Enclose the password or hashed password in single quotes. Internal authentication requires a password or hashed password.

OPTIONS = { option_map }

Reserved for use with authentication plug-ins. Refer to the authenticator documentation for details.

Examples

Creating a login account

  1. Create a login role for coach. 
    CREATE ROLE IF NOT EXISTS coach 
WITH PASSWORD = 'All4One2day!' 
  AND LOGIN = true;
    If a hashed password is used, use WITH HASHED PASSWORD:
    Internal
          authentication requires the role to have a password or hashed password. The hashed
          password was generated with the DSE tool hash_password -p
          All4One2day!.
    2. 
        
  2. Verify that the account works by logging in:
          
    LOGIN coach
    3. 
        
  3. Enter the password at the prompt.
          
    Password: 
    4. 
        
  4. The cqlsh prompt includes the role name:
          
    coach@cqlsh>
    5. 
      

      
Creating a role

      
A best practice when using internal authentication is to create separate roles for
        permissions and login accounts. Once a role has been created it can be assigned as
        permission to another role, see GRANT for more details. Roles for externally authenticators
        users are mapped to the user's group name. LDAP mapping is case sensitive.

      
Create a role for the cycling keyspace administrator, that is a role that has full
        permission to only the cycling keyspace.

      
    
        
  1. Create the role:
          
    CREATE ROLE IF NOT EXISTS cycling_admin;
    At
          this point the role has no permissions. Manage permissions using GRANT and REVOKE.
    Note: A
            role can only modify permissions of another role and can only modify (GRANT or REVOKE)
            role permissions that it also has.
    2. 
        
  2. Assign the role full access to the cycling keyspace:
          
    GRANT ALL PERMISSIONS
ON KEYSPACE cycling
TO cycling_admin;
    
        
    3. 
        
  3. Now assign the role to the coach.
          
    GRANT cycling_admin
TO coach;
    This
          allows you to manage the permissions of all cycling administrators by modifying the
          cycling_admin role.
    4. 
        
  4. View the coach's permissions.
          
    LIST ALL PERMISSIONS OF coach;
    5. 
      

      
Changing a password

      
A role can change the password or hashed password for itself, or another role that it has
        permission to modify. A superuser can change the password or hashed password of any role.
        Use ALTER to change a role's password:
        
ALTER ROLE sandy
WITH PASSWORD = 'bestTeam';

        or with a hashed password: