Controlling access to search indexes

Assign access privileges to roles for search index management.

Assign access privileges to roles for search index management.

Permissions and syntax

Setting access to search indexes using the following syntax:
  • Allow access to search index:
    GRANT permission_name 
    ON (ALL SEARCH INDICES | SEARCH KEYSPACE keyspace_name | SEARCH INDEX [keyspace_name.]table_name) 
    TO role_name;
  • Remove access to search index:
    REVOKE permission_name 
    ON (ALL SEARCH INDICES | SEARCH KEYSPACE keyspace_name | SEARCH INDEX [keyspace_name.]table_name)  
    FROM role_name;
Table 1. Search index permissions
permission_name CQL command Description
ALL PERMISSIONS (all commands below), , and Perform any search index actions and authorize other roles to use any of the actions below.
SEARCH.ALTER and Add, drop, and set schema fields and configuration elements in a search index.
SEARCH.COMMIT Move the search index from RAM buffer to another on-heap memory location that is suitable for searching.
SEARCH.CREATE Define a new search index.
SEARCH.DROP Remove a search index.
SEARCH.REBUILD Rebuilds the index of the search index.
SEARCH.RELOAD Reloads the search index.

Requirements to GRANT/REVOKE Search Index permissions

Roles that manage Search Index permissions must have AUTHORIZE on the search index resource:
  • Manage permissions for all search indexes:
    GRANT AUTHORIZE FOR permission_name
    ON ALL SEARCH INDICES 
    TO role_name;
  • Limit permissions to manage permissions to individual tables:
    GRANT AUTHORIZE FOR permission_name
    ON SEARCH INDEX [keyspace_name.]table_name 
    TO role_name;
Note: Superuser roles have permission to perform any action; therefore do not require explicitly granting authorize for a permission on search indexes resource.

Procedure

  • Set access to all search indexes:
    GRANT ALL PERMISSIONS ON ALL SEARCH INDICES TO role_name;
  • Limit access to a specific table:
    GRANT ALL PERMISSIONS ON SEARCH INDEX [keyspace_name.]table_name) TO role_name;
  • Remove previously granted access to all search indexes:
    REVOKE ALL PERMISSIONS ON ALL SEARCH INDICES FROM role_name;
  • Remove previously granted access to a specific table:
    REVOKE ALL PERMISSIONS ON SEARCH INDEX [keyspace_name.]table_name) FROM role_name;
  • List all roles that have access to search indexes:
    LIST ALL PERMISSIONS ON (ALL SEARCH INDICES|[keyspace_name.]table_name);