Controlling Access to DataStax Graph Keyspaces
Set access privileges to roles for DataStax Graph management.
DataStax Graph authentication and authorization is accomplished with either
CQL authorization or DSE Unified Authentication.
Set access to graphs using the following syntax:
Allow access to a graph or vertex label/edge label:
GRANT <permission_name> ON KEYSPACE <graph_name> | [<graph_name>.]<label_table_name>) TO <role_name>;
Remove access to a graph:
REVOKE <permission_name> ON KEYSPACE <graph_name> | [<graph_name>.]<Label_table_name>) TO <role_name>;
Roles that manage Graph permissions must have
AUTHORIZE on the search index resource:
Manage permissions for a graph:
GRANT AUTHORIZE FOR <permission_name> ON KEYSPACE <graph_name> TO <role_name>;
Limit permissions to manage permissions to individual vertex label/edge label table:
GRANT AUTHORIZE FOR <permission_name> ON SEARCH INDEX [<keyspace_name>.]<table_name> TO <role_name>;
Superuser roles have permission to perform any action, including accessing a search indexes resource without any further explicit authorization.
A Studio user must have the following
GRANT SELECT ON system_auth.roles to <graph_role>;
This permission allows validation of the
CQLrole settings for
A Graph user must have the following
SELECTpermissions, set by default, to access DataStax Graph schema views:
GRANT SELECT ON system_schema.vertices to <graph_role>; GRANT SELECT ON system_schema.edges to <graph_role>;
These permissions need to be granted only in a non-default cluster where ystem keyspace filtering is configured.
When DSE Search is used for any data in Studio, the following permission is required to access the search resources and display search indexes:
GRANT SELECT ON solr_admin.solr_resources to <graph_role>;
The following permissions are required when
AlwaysOn SparkSQLis used with Graph, to determine
AOSSstatus, to display
SparkSQLcached tables in the schema view, to identify the current datacenter for the
SparkSQLcached tables, and to identify DataStax Graph and
GRANT SELECT ON dse_analytics.alwayson_sql_info to <graph_role>; GRANT SELECT ON dse_analytics.alwayson_cache_table to <graph_role>;