Cassandra Permissions

If Cassandra is configured to use authorizer by setting authorizer: CassandraAuthorizer in cassandra.yaml, accessing resources like tables, keyspaces require permission to be granted to user. Here, we will see how to grant permission.

Grant CREATE Permission on keyspace

Connect to superuser using cqlsh. The default superuser is cassandra and the password is cassandra.

[bigdata@orcl1 bin]$ ./cqlsh -u cassandra -p cassandra
Connected to cassandra1 at orcl1:9042.
[cqlsh 5.0.1 | Cassandra 3.7 | CQL spec 3.4.2 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh>
cassandra@cqlsh>  GRANT CREATE PERMISSION ON KEYSPACE testks TO prajeeth;

Here, the user prajeeth is granted CREATE on keyspace testks.

cassandra@cqlsh:system_auth> SELECT * FROM system_auth.role_permissions;

 role     | resource          | permissions
----------+-------------------+----------------------------------------------------
 prajeeth |       data/testks |                                         {'CREATE'}
 prajeeth | data/testks/users | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}

(2 rows)

The user prajeeth is granted CREATE on keyspace testks

Grant SELECT Permission on Table

Connect to superuser using cqlsh. The default superuser is cassandra and the password is cassandra.

[bigdata@orcl1 bin]$ ./cqlsh -u cassandra -p cassandra
Connected to cassandra1 at orcl1:9042.
[cqlsh 5.0.1 | Cassandra 3.7 | CQL spec 3.4.2 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh>
cassandra@cqlsh> GRANT SELECT PERMISSION ON testks.employee TO prajeeth;

The user prajeeth is granted SELECT on table testks.employee

Querying system_auth.role_permissions confirms that the user prajeeth is granted SELECT on testks.employee table

     
cassandra@cqlsh:system_traces> SELECT * FROM system_auth.role_permissions;

 role     | resource             | permissions
----------+----------------------+----------------------------------------------------
 prajeeth |          data/testks |                                         {'CREATE'}
 prajeeth | data/testks/employee |                                         {'SELECT'}
 prajeeth |    data/testks/users | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}

(3 rows)
Comments