| |
| |
| <!DOCTYPE html> |
| <!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]--> |
| <!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]--> |
| <head> |
| <meta charset="utf-8"> |
| |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> |
| |
| <title>Security — Apache Cassandra Documentation v3.11.11</title> |
| |
| |
| |
| |
| |
| |
| |
| |
| <script type="text/javascript" src="../_static/js/modernizr.min.js"></script> |
| |
| |
| <script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script> |
| <script type="text/javascript" src="../_static/jquery.js"></script> |
| <script type="text/javascript" src="../_static/underscore.js"></script> |
| <script type="text/javascript" src="../_static/doctools.js"></script> |
| <script type="text/javascript" src="../_static/language_data.js"></script> |
| |
| <script type="text/javascript" src="../_static/js/theme.js"></script> |
| |
| |
| |
| |
| <link rel="stylesheet" href="../_static/css/theme.css" type="text/css" /> |
| <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> |
| <link rel="stylesheet" href="../_static/extra.css" type="text/css" /> |
| <link rel="index" title="Index" href="../genindex.html" /> |
| <link rel="search" title="Search" href="../search.html" /> |
| <link rel="next" title="Functions" href="functions.html" /> |
| <link rel="prev" title="Materialized Views" href="mvs.html" /> |
| </head> |
| |
| <body class="wy-body-for-nav"> |
| |
| |
| <div class="wy-grid-for-nav"> |
| |
| <nav data-toggle="wy-nav-shift" class="wy-nav-side"> |
| <div class="wy-side-scroll"> |
| <div class="wy-side-nav-search" > |
| |
| |
| |
| <a href="../index.html" class="icon icon-home"> Apache Cassandra |
| |
| |
| |
| </a> |
| |
| |
| |
| |
| <div class="version"> |
| 3.11.11 |
| </div> |
| |
| |
| |
| |
| <div role="search"> |
| <form id="rtd-search-form" class="wy-form" action="../search.html" method="get"> |
| <input type="text" name="q" placeholder="Search docs" /> |
| <input type="hidden" name="check_keywords" value="yes" /> |
| <input type="hidden" name="area" value="default" /> |
| </form> |
| </div> |
| |
| |
| </div> |
| |
| <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation"> |
| |
| |
| |
| |
| |
| |
| <ul class="current"> |
| <li class="toctree-l1"><a class="reference internal" href="../getting_started/index.html">Getting Started</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../architecture/index.html">Architecture</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../data_modeling/index.html">Data Modeling</a></li> |
| <li class="toctree-l1 current"><a class="reference internal" href="index.html">The Cassandra Query Language (CQL)</a><ul class="current"> |
| <li class="toctree-l2"><a class="reference internal" href="definitions.html">Definitions</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="types.html">Data Types</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="ddl.html">Data Definition</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="dml.html">Data Manipulation</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="indexes.html">Secondary Indexes</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="mvs.html">Materialized Views</a></li> |
| <li class="toctree-l2 current"><a class="current reference internal" href="#">Security</a><ul> |
| <li class="toctree-l3"><a class="reference internal" href="#database-roles">Database Roles</a><ul> |
| <li class="toctree-l4"><a class="reference internal" href="#create-role">CREATE ROLE</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#alter-role">ALTER ROLE</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#drop-role">DROP ROLE</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#grant-role">GRANT ROLE</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#revoke-role">REVOKE ROLE</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#list-roles">LIST ROLES</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l3"><a class="reference internal" href="#users">Users</a><ul> |
| <li class="toctree-l4"><a class="reference internal" href="#create-user">CREATE USER</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#alter-user">ALTER USER</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#drop-user">DROP USER</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#list-users">LIST USERS</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l3"><a class="reference internal" href="#data-control">Data Control</a><ul> |
| <li class="toctree-l4"><a class="reference internal" href="#permissions">Permissions</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#grant-permission">GRANT PERMISSION</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#revoke-permission">REVOKE PERMISSION</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#list-permissions">LIST PERMISSIONS</a></li> |
| </ul> |
| </li> |
| </ul> |
| </li> |
| <li class="toctree-l2"><a class="reference internal" href="functions.html">Functions</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="json.html">JSON Support</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="triggers.html">Triggers</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="appendices.html">Appendices</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="changes.html">Changes</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l1"><a class="reference internal" href="../configuration/index.html">Configuring Cassandra</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../operating/index.html">Operating Cassandra</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../tools/index.html">Cassandra Tools</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../troubleshooting/index.html">Troubleshooting</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../development/index.html">Cassandra Development</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../faq/index.html">Frequently Asked Questions</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../bugs.html">Reporting Bugs and Contributing</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../contactus.html">Contact us</a></li> |
| </ul> |
| |
| |
| |
| </div> |
| </div> |
| </nav> |
| |
| <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"> |
| |
| |
| <nav class="wy-nav-top" aria-label="top navigation"> |
| |
| <i data-toggle="wy-nav-top" class="fa fa-bars"></i> |
| <a href="../index.html">Apache Cassandra</a> |
| |
| </nav> |
| |
| |
| <div class="wy-nav-content"> |
| |
| <div class="rst-content"> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <div role="navigation" aria-label="breadcrumbs navigation"> |
| |
| <ul class="wy-breadcrumbs"> |
| |
| <li><a href="../index.html">Docs</a> »</li> |
| |
| <li><a href="index.html">The Cassandra Query Language (CQL)</a> »</li> |
| |
| <li>Security</li> |
| |
| |
| <li class="wy-breadcrumbs-aside"> |
| |
| |
| <a href="../_sources/cql/security.rst.txt" rel="nofollow"> View page source</a> |
| |
| |
| </li> |
| |
| </ul> |
| |
| |
| <hr/> |
| </div> |
| <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article"> |
| <div itemprop="articleBody"> |
| |
| <div class="section" id="security"> |
| <span id="cql-security"></span><h1>Security<a class="headerlink" href="#security" title="Permalink to this headline">¶</a></h1> |
| <div class="section" id="database-roles"> |
| <span id="cql-roles"></span><h2>Database Roles<a class="headerlink" href="#database-roles" title="Permalink to this headline">¶</a></h2> |
| <p>CQL uses database roles to represent users and group of users. Syntactically, a role is defined by:</p> |
| <pre> |
| <strong id="grammar-token-role-name">role_name</strong> ::= <a class="reference internal" href="definitions.html#grammar-token-identifier"><code class="xref docutils literal notranslate"><span class="pre">identifier</span></code></a> | <a class="reference internal" href="definitions.html#grammar-token-string"><code class="xref docutils literal notranslate"><span class="pre">string</span></code></a> |
| </pre> |
| <div class="section" id="create-role"> |
| <span id="create-role-statement"></span><h3>CREATE ROLE<a class="headerlink" href="#create-role" title="Permalink to this headline">¶</a></h3> |
| <p>Creating a role uses the <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">ROLE</span></code> statement:</p> |
| <pre> |
| <strong id="grammar-token-create-role-statement">create_role_statement</strong> ::= CREATE ROLE [ IF NOT EXISTS ] <a class="reference internal" href="#grammar-token-role-name"><code class="xref docutils literal notranslate"><span class="pre">role_name</span></code></a> |
| [ WITH <a class="reference internal" href="#grammar-token-role-options"><code class="xref docutils literal notranslate"><span class="pre">role_options</span></code></a> ] |
| <strong id="grammar-token-role-options">role_options </strong> ::= <a class="reference internal" href="#grammar-token-role-option"><code class="xref docutils literal notranslate"><span class="pre">role_option</span></code></a> ( AND <a class="reference internal" href="#grammar-token-role-option"><code class="xref docutils literal notranslate"><span class="pre">role_option</span></code></a> )* |
| <strong id="grammar-token-role-option">role_option </strong> ::= PASSWORD '=' <a class="reference internal" href="definitions.html#grammar-token-string"><code class="xref docutils literal notranslate"><span class="pre">string</span></code></a> |
| | LOGIN '=' <a class="reference internal" href="definitions.html#grammar-token-boolean"><code class="xref docutils literal notranslate"><span class="pre">boolean</span></code></a> |
| | SUPERUSER '=' <a class="reference internal" href="definitions.html#grammar-token-boolean"><code class="xref docutils literal notranslate"><span class="pre">boolean</span></code></a> |
| | OPTIONS '=' <a class="reference internal" href="types.html#grammar-token-map-literal"><code class="xref docutils literal notranslate"><span class="pre">map_literal</span></code></a> |
| </pre> |
| <p>For instance:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">CREATE</span> <span class="k">ROLE</span> <span class="n">new_role</span><span class="p">;</span> |
| <span class="k">CREATE</span> <span class="k">ROLE</span> <span class="n">alice</span> <span class="k">WITH</span> <span class="k">PASSWORD</span> <span class="o">=</span> <span class="s1">'password_a'</span> <span class="k">AND</span> <span class="k">LOGIN</span> <span class="o">=</span> <span class="n">true</span><span class="p">;</span> |
| <span class="k">CREATE</span> <span class="k">ROLE</span> <span class="n">bob</span> <span class="k">WITH</span> <span class="k">PASSWORD</span> <span class="o">=</span> <span class="s1">'password_b'</span> <span class="k">AND</span> <span class="k">LOGIN</span> <span class="o">=</span> <span class="n">true</span> <span class="k">AND</span> <span class="k">SUPERUSER</span> <span class="o">=</span> <span class="n">true</span><span class="p">;</span> |
| <span class="k">CREATE</span> <span class="k">ROLE</span> <span class="n">carlos</span> <span class="k">WITH</span> <span class="k">OPTIONS</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">'custom_option1'</span> <span class="p">:</span> <span class="s1">'option1_value'</span><span class="p">,</span> <span class="s1">'custom_option2'</span> <span class="p">:</span> <span class="mf">99</span> <span class="p">};</span> |
| </pre></div> |
| </div> |
| <p>By default roles do not possess <code class="docutils literal notranslate"><span class="pre">LOGIN</span></code> privileges or <code class="docutils literal notranslate"><span class="pre">SUPERUSER</span></code> status.</p> |
| <p><a class="reference internal" href="#cql-permissions"><span class="std std-ref">Permissions</span></a> on database resources are granted to roles; types of resources include keyspaces, |
| tables, functions and roles themselves. Roles may be granted to other roles to create hierarchical permissions |
| structures; in these hierarchies, permissions and <code class="docutils literal notranslate"><span class="pre">SUPERUSER</span></code> status are inherited, but the <code class="docutils literal notranslate"><span class="pre">LOGIN</span></code> privilege is |
| not.</p> |
| <p>If a role has the <code class="docutils literal notranslate"><span class="pre">LOGIN</span></code> privilege, clients may identify as that role when connecting. For the duration of that |
| connection, the client will acquire any roles and privileges granted to that role.</p> |
| <p>Only a client with with the <code class="docutils literal notranslate"><span class="pre">CREATE</span></code> permission on the database roles resource may issue <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">ROLE</span></code> requests (see |
| the <a class="reference internal" href="#cql-permissions"><span class="std std-ref">relevant section</span></a> below), unless the client is a <code class="docutils literal notranslate"><span class="pre">SUPERUSER</span></code>. Role management in Cassandra |
| is pluggable and custom implementations may support only a subset of the listed options.</p> |
| <p>Role names should be quoted if they contain non-alphanumeric characters.</p> |
| <div class="section" id="setting-credentials-for-internal-authentication"> |
| <span id="id1"></span><h4>Setting credentials for internal authentication<a class="headerlink" href="#setting-credentials-for-internal-authentication" title="Permalink to this headline">¶</a></h4> |
| <p>Use the <code class="docutils literal notranslate"><span class="pre">WITH</span> <span class="pre">PASSWORD</span></code> clause to set a password for internal authentication, enclosing the password in single |
| quotation marks.</p> |
| <p>If internal authentication has not been set up or the role does not have <code class="docutils literal notranslate"><span class="pre">LOGIN</span></code> privileges, the <code class="docutils literal notranslate"><span class="pre">WITH</span> <span class="pre">PASSWORD</span></code> |
| clause is not necessary.</p> |
| </div> |
| <div class="section" id="creating-a-role-conditionally"> |
| <h4>Creating a role conditionally<a class="headerlink" href="#creating-a-role-conditionally" title="Permalink to this headline">¶</a></h4> |
| <p>Attempting to create an existing role results in an invalid query condition unless the <code class="docutils literal notranslate"><span class="pre">IF</span> <span class="pre">NOT</span> <span class="pre">EXISTS</span></code> option is used. |
| If the option is used and the role exists, the statement is a no-op:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">CREATE</span> <span class="k">ROLE</span> <span class="n">other_role</span><span class="p">;</span> |
| <span class="k">CREATE</span> <span class="k">ROLE</span> <span class="k">IF</span> <span class="k">NOT</span> <span class="k">EXISTS</span> <span class="n">other_role</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| </div> |
| </div> |
| <div class="section" id="alter-role"> |
| <span id="alter-role-statement"></span><h3>ALTER ROLE<a class="headerlink" href="#alter-role" title="Permalink to this headline">¶</a></h3> |
| <p>Altering a role options uses the <code class="docutils literal notranslate"><span class="pre">ALTER</span> <span class="pre">ROLE</span></code> statement:</p> |
| <pre> |
| <strong id="grammar-token-alter-role-statement">alter_role_statement</strong> ::= ALTER ROLE <a class="reference internal" href="#grammar-token-role-name"><code class="xref docutils literal notranslate"><span class="pre">role_name</span></code></a> WITH <a class="reference internal" href="#grammar-token-role-options"><code class="xref docutils literal notranslate"><span class="pre">role_options</span></code></a> |
| </pre> |
| <p>For instance:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">ALTER</span> <span class="k">ROLE</span> <span class="n">bob</span> <span class="k">WITH</span> <span class="k">PASSWORD</span> <span class="o">=</span> <span class="s1">'PASSWORD_B'</span> <span class="k">AND</span> <span class="k">SUPERUSER</span> <span class="o">=</span> <span class="n">false</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| <p>Conditions on executing <code class="docutils literal notranslate"><span class="pre">ALTER</span> <span class="pre">ROLE</span></code> statements:</p> |
| <ul class="simple"> |
| <li><p>A client must have <code class="docutils literal notranslate"><span class="pre">SUPERUSER</span></code> status to alter the <code class="docutils literal notranslate"><span class="pre">SUPERUSER</span></code> status of another role</p></li> |
| <li><p>A client cannot alter the <code class="docutils literal notranslate"><span class="pre">SUPERUSER</span></code> status of any role it currently holds</p></li> |
| <li><p>A client can only modify certain properties of the role with which it identified at login (e.g. <code class="docutils literal notranslate"><span class="pre">PASSWORD</span></code>)</p></li> |
| <li><p>To modify properties of a role, the client must be granted <code class="docutils literal notranslate"><span class="pre">ALTER</span></code> <a class="reference internal" href="#cql-permissions"><span class="std std-ref">permission</span></a> on that role</p></li> |
| </ul> |
| </div> |
| <div class="section" id="drop-role"> |
| <span id="drop-role-statement"></span><h3>DROP ROLE<a class="headerlink" href="#drop-role" title="Permalink to this headline">¶</a></h3> |
| <p>Dropping a role uses the <code class="docutils literal notranslate"><span class="pre">DROP</span> <span class="pre">ROLE</span></code> statement:</p> |
| <pre> |
| <strong id="grammar-token-drop-role-statement">drop_role_statement</strong> ::= DROP ROLE [ IF EXISTS ] <a class="reference internal" href="#grammar-token-role-name"><code class="xref docutils literal notranslate"><span class="pre">role_name</span></code></a> |
| </pre> |
| <p><code class="docutils literal notranslate"><span class="pre">DROP</span> <span class="pre">ROLE</span></code> requires the client to have <code class="docutils literal notranslate"><span class="pre">DROP</span></code> <a class="reference internal" href="#cql-permissions"><span class="std std-ref">permission</span></a> on the role in question. In |
| addition, client may not <code class="docutils literal notranslate"><span class="pre">DROP</span></code> the role with which it identified at login. Finally, only a client with <code class="docutils literal notranslate"><span class="pre">SUPERUSER</span></code> |
| status may <code class="docutils literal notranslate"><span class="pre">DROP</span></code> another <code class="docutils literal notranslate"><span class="pre">SUPERUSER</span></code> role.</p> |
| <p>Attempting to drop a role which does not exist results in an invalid query condition unless the <code class="docutils literal notranslate"><span class="pre">IF</span> <span class="pre">EXISTS</span></code> option is |
| used. If the option is used and the role does not exist the statement is a no-op.</p> |
| </div> |
| <div class="section" id="grant-role"> |
| <span id="grant-role-statement"></span><h3>GRANT ROLE<a class="headerlink" href="#grant-role" title="Permalink to this headline">¶</a></h3> |
| <p>Granting a role to another uses the <code class="docutils literal notranslate"><span class="pre">GRANT</span> <span class="pre">ROLE</span></code> statement:</p> |
| <pre> |
| <strong id="grammar-token-grant-role-statement">grant_role_statement</strong> ::= GRANT <a class="reference internal" href="#grammar-token-role-name"><code class="xref docutils literal notranslate"><span class="pre">role_name</span></code></a> TO <a class="reference internal" href="#grammar-token-role-name"><code class="xref docutils literal notranslate"><span class="pre">role_name</span></code></a> |
| </pre> |
| <p>For instance:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">GRANT</span> <span class="n">report_writer</span> <span class="k">TO</span> <span class="n">alice</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| <p>This statement grants the <code class="docutils literal notranslate"><span class="pre">report_writer</span></code> role to <code class="docutils literal notranslate"><span class="pre">alice</span></code>. Any permissions granted to <code class="docutils literal notranslate"><span class="pre">report_writer</span></code> are also |
| acquired by <code class="docutils literal notranslate"><span class="pre">alice</span></code>.</p> |
| <p>Roles are modelled as a directed acyclic graph, so circular grants are not permitted. The following examples result in |
| error conditions:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">GRANT</span> <span class="n">role_a</span> <span class="k">TO</span> <span class="n">role_b</span><span class="p">;</span> |
| <span class="k">GRANT</span> <span class="n">role_b</span> <span class="k">TO</span> <span class="n">role_a</span><span class="p">;</span> |
| |
| <span class="k">GRANT</span> <span class="n">role_a</span> <span class="k">TO</span> <span class="n">role_b</span><span class="p">;</span> |
| <span class="k">GRANT</span> <span class="n">role_b</span> <span class="k">TO</span> <span class="n">role_c</span><span class="p">;</span> |
| <span class="k">GRANT</span> <span class="n">role_c</span> <span class="k">TO</span> <span class="n">role_a</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| </div> |
| <div class="section" id="revoke-role"> |
| <span id="revoke-role-statement"></span><h3>REVOKE ROLE<a class="headerlink" href="#revoke-role" title="Permalink to this headline">¶</a></h3> |
| <p>Revoking a role uses the <code class="docutils literal notranslate"><span class="pre">REVOKE</span> <span class="pre">ROLE</span></code> statement:</p> |
| <pre> |
| <strong id="grammar-token-revoke-role-statement">revoke_role_statement</strong> ::= REVOKE <a class="reference internal" href="#grammar-token-role-name"><code class="xref docutils literal notranslate"><span class="pre">role_name</span></code></a> FROM <a class="reference internal" href="#grammar-token-role-name"><code class="xref docutils literal notranslate"><span class="pre">role_name</span></code></a> |
| </pre> |
| <p>For instance:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">REVOKE</span> <span class="n">report_writer</span> <span class="k">FROM</span> <span class="n">alice</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| <p>This statement revokes the <code class="docutils literal notranslate"><span class="pre">report_writer</span></code> role from <code class="docutils literal notranslate"><span class="pre">alice</span></code>. Any permissions that <code class="docutils literal notranslate"><span class="pre">alice</span></code> has acquired via the |
| <code class="docutils literal notranslate"><span class="pre">report_writer</span></code> role are also revoked.</p> |
| </div> |
| <div class="section" id="list-roles"> |
| <span id="list-roles-statement"></span><h3>LIST ROLES<a class="headerlink" href="#list-roles" title="Permalink to this headline">¶</a></h3> |
| <p>All the known roles (in the system or granted to specific role) can be listed using the <code class="docutils literal notranslate"><span class="pre">LIST</span> <span class="pre">ROLES</span></code> statement:</p> |
| <pre> |
| <strong id="grammar-token-list-roles-statement">list_roles_statement</strong> ::= LIST ROLES [ OF <a class="reference internal" href="#grammar-token-role-name"><code class="xref docutils literal notranslate"><span class="pre">role_name</span></code></a> ] [ NORECURSIVE ] |
| </pre> |
| <p>For instance:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">LIST</span> <span class="k">ROLES</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| <p>returns all known roles in the system, this requires <code class="docutils literal notranslate"><span class="pre">DESCRIBE</span></code> permission on the database roles resource. And:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">LIST</span> <span class="k">ROLES</span> <span class="k">OF</span> <span class="n">alice</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| <p>enumerates all roles granted to <code class="docutils literal notranslate"><span class="pre">alice</span></code>, including those transitively acquired. But:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">LIST</span> <span class="k">ROLES</span> <span class="k">OF</span> <span class="n">bob</span> <span class="k">NORECURSIVE</span> |
| </pre></div> |
| </div> |
| <p>lists all roles directly granted to <code class="docutils literal notranslate"><span class="pre">bob</span></code> without including any of the transitively acquired ones.</p> |
| </div> |
| </div> |
| <div class="section" id="users"> |
| <h2>Users<a class="headerlink" href="#users" title="Permalink to this headline">¶</a></h2> |
| <p>Prior to the introduction of roles in Cassandra 2.2, authentication and authorization were based around the concept of a |
| <code class="docutils literal notranslate"><span class="pre">USER</span></code>. For backward compatibility, the legacy syntax has been preserved with <code class="docutils literal notranslate"><span class="pre">USER</span></code> centric statements becoming |
| synonyms for the <code class="docutils literal notranslate"><span class="pre">ROLE</span></code> based equivalents. In other words, creating/updating a user is just a different syntax for |
| creating/updating a role.</p> |
| <div class="section" id="create-user"> |
| <span id="create-user-statement"></span><h3>CREATE USER<a class="headerlink" href="#create-user" title="Permalink to this headline">¶</a></h3> |
| <p>Creating a user uses the <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">USER</span></code> statement:</p> |
| <pre> |
| <strong id="grammar-token-create-user-statement">create_user_statement</strong> ::= CREATE USER [ IF NOT EXISTS ] <a class="reference internal" href="#grammar-token-role-name"><code class="xref docutils literal notranslate"><span class="pre">role_name</span></code></a> [ WITH PASSWORD <a class="reference internal" href="definitions.html#grammar-token-string"><code class="xref docutils literal notranslate"><span class="pre">string</span></code></a> ] [ <a class="reference internal" href="#grammar-token-user-option"><code class="xref docutils literal notranslate"><span class="pre">user_option</span></code></a> ] |
| <strong id="grammar-token-user-option">user_option </strong> ::= SUPERUSER | NOSUPERUSER |
| </pre> |
| <p>For instance:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">CREATE</span> <span class="k">USER</span> <span class="n">alice</span> <span class="k">WITH</span> <span class="k">PASSWORD</span> <span class="s1">'password_a'</span> <span class="k">SUPERUSER</span><span class="p">;</span> |
| <span class="k">CREATE</span> <span class="k">USER</span> <span class="n">bob</span> <span class="k">WITH</span> <span class="k">PASSWORD</span> <span class="s1">'password_b'</span> <span class="k">NOSUPERUSER</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| <p><code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">USER</span></code> is equivalent to <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">ROLE</span></code> where the <code class="docutils literal notranslate"><span class="pre">LOGIN</span></code> option is <code class="docutils literal notranslate"><span class="pre">true</span></code>. So, the following pairs of |
| statements are equivalent:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">CREATE</span> <span class="k">USER</span> <span class="n">alice</span> <span class="k">WITH</span> <span class="k">PASSWORD</span> <span class="s1">'password_a'</span> <span class="k">SUPERUSER</span><span class="p">;</span> |
| <span class="k">CREATE</span> <span class="k">ROLE</span> <span class="n">alice</span> <span class="k">WITH</span> <span class="k">PASSWORD</span> <span class="o">=</span> <span class="s1">'password_a'</span> <span class="k">AND</span> <span class="k">LOGIN</span> <span class="o">=</span> <span class="n">true</span> <span class="k">AND</span> <span class="k">SUPERUSER</span> <span class="o">=</span> <span class="n">true</span><span class="p">;</span> |
| |
| <span class="k">CREATE</span> <span class="k">USER</span> <span class="k">IF</span> <span class="k">NOT</span> <span class="k">EXISTS</span> <span class="n">alice</span> <span class="k">WITH</span> <span class="k">PASSWORD</span> <span class="s1">'password_a'</span> <span class="k">SUPERUSER</span><span class="p">;</span> |
| <span class="k">CREATE</span> <span class="k">ROLE</span> <span class="k">IF</span> <span class="k">NOT</span> <span class="k">EXISTS</span> <span class="n">alice</span> <span class="k">WITH</span> <span class="k">PASSWORD</span> <span class="o">=</span> <span class="s1">'password_a'</span> <span class="k">AND</span> <span class="k">LOGIN</span> <span class="o">=</span> <span class="n">true</span> <span class="k">AND</span> <span class="k">SUPERUSER</span> <span class="o">=</span> <span class="n">true</span><span class="p">;</span> |
| |
| <span class="k">CREATE</span> <span class="k">USER</span> <span class="n">alice</span> <span class="k">WITH</span> <span class="k">PASSWORD</span> <span class="s1">'password_a'</span> <span class="k">NOSUPERUSER</span><span class="p">;</span> |
| <span class="k">CREATE</span> <span class="k">ROLE</span> <span class="n">alice</span> <span class="k">WITH</span> <span class="k">PASSWORD</span> <span class="o">=</span> <span class="s1">'password_a'</span> <span class="k">AND</span> <span class="k">LOGIN</span> <span class="o">=</span> <span class="n">true</span> <span class="k">AND</span> <span class="k">SUPERUSER</span> <span class="o">=</span> <span class="n">false</span><span class="p">;</span> |
| |
| <span class="k">CREATE</span> <span class="k">USER</span> <span class="n">alice</span> <span class="k">WITH</span> <span class="k">PASSWORD</span> <span class="s1">'password_a'</span> <span class="k">NOSUPERUSER</span><span class="p">;</span> |
| <span class="k">CREATE</span> <span class="k">ROLE</span> <span class="n">alice</span> <span class="k">WITH</span> <span class="k">PASSWORD</span> <span class="o">=</span> <span class="s1">'password_a'</span> <span class="k">AND</span> <span class="k">LOGIN</span> <span class="o">=</span> <span class="n">true</span><span class="p">;</span> |
| |
| <span class="k">CREATE</span> <span class="k">USER</span> <span class="n">alice</span> <span class="k">WITH</span> <span class="k">PASSWORD</span> <span class="s1">'password_a'</span><span class="p">;</span> |
| <span class="k">CREATE</span> <span class="k">ROLE</span> <span class="n">alice</span> <span class="k">WITH</span> <span class="k">PASSWORD</span> <span class="o">=</span> <span class="s1">'password_a'</span> <span class="k">AND</span> <span class="k">LOGIN</span> <span class="o">=</span> <span class="n">true</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| </div> |
| <div class="section" id="alter-user"> |
| <span id="alter-user-statement"></span><h3>ALTER USER<a class="headerlink" href="#alter-user" title="Permalink to this headline">¶</a></h3> |
| <p>Altering the options of a user uses the <code class="docutils literal notranslate"><span class="pre">ALTER</span> <span class="pre">USER</span></code> statement:</p> |
| <pre> |
| <strong id="grammar-token-alter-user-statement">alter_user_statement</strong> ::= ALTER USER <a class="reference internal" href="#grammar-token-role-name"><code class="xref docutils literal notranslate"><span class="pre">role_name</span></code></a> [ WITH PASSWORD <a class="reference internal" href="definitions.html#grammar-token-string"><code class="xref docutils literal notranslate"><span class="pre">string</span></code></a> ] [ <a class="reference internal" href="#grammar-token-user-option"><code class="xref docutils literal notranslate"><span class="pre">user_option</span></code></a> ] |
| </pre> |
| <p>For instance:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">ALTER</span> <span class="k">USER</span> <span class="n">alice</span> <span class="k">WITH</span> <span class="k">PASSWORD</span> <span class="s1">'PASSWORD_A'</span><span class="p">;</span> |
| <span class="k">ALTER</span> <span class="k">USER</span> <span class="n">bob</span> <span class="k">SUPERUSER</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| </div> |
| <div class="section" id="drop-user"> |
| <span id="drop-user-statement"></span><h3>DROP USER<a class="headerlink" href="#drop-user" title="Permalink to this headline">¶</a></h3> |
| <p>Dropping a user uses the <code class="docutils literal notranslate"><span class="pre">DROP</span> <span class="pre">USER</span></code> statement:</p> |
| <pre> |
| <strong id="grammar-token-drop-user-statement">drop_user_statement</strong> ::= DROP USER [ IF EXISTS ] <a class="reference internal" href="#grammar-token-role-name"><code class="xref docutils literal notranslate"><span class="pre">role_name</span></code></a> |
| </pre> |
| </div> |
| <div class="section" id="list-users"> |
| <span id="list-users-statement"></span><h3>LIST USERS<a class="headerlink" href="#list-users" title="Permalink to this headline">¶</a></h3> |
| <p>Existing users can be listed using the <code class="docutils literal notranslate"><span class="pre">LIST</span> <span class="pre">USERS</span></code> statement:</p> |
| <pre> |
| <strong id="grammar-token-list-users-statement">list_users_statement</strong> ::= LIST USERS |
| </pre> |
| <p>Note that this statement is equivalent to:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">LIST</span> <span class="k">ROLES</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| <p>but only roles with the <code class="docutils literal notranslate"><span class="pre">LOGIN</span></code> privilege are included in the output.</p> |
| </div> |
| </div> |
| <div class="section" id="data-control"> |
| <h2>Data Control<a class="headerlink" href="#data-control" title="Permalink to this headline">¶</a></h2> |
| <div class="section" id="permissions"> |
| <span id="cql-permissions"></span><h3>Permissions<a class="headerlink" href="#permissions" title="Permalink to this headline">¶</a></h3> |
| <p>Permissions on resources are granted to roles; there are several different types of resources in Cassandra and each type |
| is modelled hierarchically:</p> |
| <ul class="simple"> |
| <li><p>The hierarchy of Data resources, Keyspaces and Tables has the structure <code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">KEYSPACES</span></code> -> <code class="docutils literal notranslate"><span class="pre">KEYSPACE</span></code> -> |
| <code class="docutils literal notranslate"><span class="pre">TABLE</span></code>.</p></li> |
| <li><p>Function resources have the structure <code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">FUNCTIONS</span></code> -> <code class="docutils literal notranslate"><span class="pre">KEYSPACE</span></code> -> <code class="docutils literal notranslate"><span class="pre">FUNCTION</span></code></p></li> |
| <li><p>Resources representing roles have the structure <code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">ROLES</span></code> -> <code class="docutils literal notranslate"><span class="pre">ROLE</span></code></p></li> |
| <li><p>Resources representing JMX ObjectNames, which map to sets of MBeans/MXBeans, have the structure <code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">MBEANS</span></code> -> |
| <code class="docutils literal notranslate"><span class="pre">MBEAN</span></code></p></li> |
| </ul> |
| <p>Permissions can be granted at any level of these hierarchies and they flow downwards. So granting a permission on a |
| resource higher up the chain automatically grants that same permission on all resources lower down. For example, |
| granting <code class="docutils literal notranslate"><span class="pre">SELECT</span></code> on a <code class="docutils literal notranslate"><span class="pre">KEYSPACE</span></code> automatically grants it on all <code class="docutils literal notranslate"><span class="pre">TABLES</span></code> in that <code class="docutils literal notranslate"><span class="pre">KEYSPACE</span></code>. Likewise, granting |
| a permission on <code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">FUNCTIONS</span></code> grants it on every defined function, regardless of which keyspace it is scoped in. It |
| is also possible to grant permissions on all functions scoped to a particular keyspace.</p> |
| <p>Modifications to permissions are visible to existing client sessions; that is, connections need not be re-established |
| following permissions changes.</p> |
| <p>The full set of available permissions is:</p> |
| <ul class="simple"> |
| <li><p><code class="docutils literal notranslate"><span class="pre">CREATE</span></code></p></li> |
| <li><p><code class="docutils literal notranslate"><span class="pre">ALTER</span></code></p></li> |
| <li><p><code class="docutils literal notranslate"><span class="pre">DROP</span></code></p></li> |
| <li><p><code class="docutils literal notranslate"><span class="pre">SELECT</span></code></p></li> |
| <li><p><code class="docutils literal notranslate"><span class="pre">MODIFY</span></code></p></li> |
| <li><p><code class="docutils literal notranslate"><span class="pre">AUTHORIZE</span></code></p></li> |
| <li><p><code class="docutils literal notranslate"><span class="pre">DESCRIBE</span></code></p></li> |
| <li><p><code class="docutils literal notranslate"><span class="pre">EXECUTE</span></code></p></li> |
| </ul> |
| <p>Not all permissions are applicable to every type of resource. For instance, <code class="docutils literal notranslate"><span class="pre">EXECUTE</span></code> is only relevant in the context |
| of functions or mbeans; granting <code class="docutils literal notranslate"><span class="pre">EXECUTE</span></code> on a resource representing a table is nonsensical. Attempting to <code class="docutils literal notranslate"><span class="pre">GRANT</span></code> |
| a permission on resource to which it cannot be applied results in an error response. The following illustrates which |
| permissions can be granted on which types of resource, and which statements are enabled by that permission.</p> |
| <table class="docutils align-default"> |
| <colgroup> |
| <col style="width: 13%" /> |
| <col style="width: 26%" /> |
| <col style="width: 61%" /> |
| </colgroup> |
| <thead> |
| <tr class="row-odd"><th class="head"><p>Permission</p></th> |
| <th class="head"><p>Resource</p></th> |
| <th class="head"><p>Operations</p></th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">CREATE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">KEYSPACES</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">KEYSPACE</span></code> and <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">TABLE</span></code> in any keyspace</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">CREATE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">KEYSPACE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">TABLE</span></code> in specified keyspace</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">CREATE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">FUNCTIONS</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">FUNCTION</span></code> in any keyspace and <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">AGGREGATE</span></code> in any |
| keyspace</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">CREATE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">FUNCTIONS</span> <span class="pre">IN</span> <span class="pre">KEYSPACE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">FUNCTION</span></code> and <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">AGGREGATE</span></code> in specified keyspace</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">CREATE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">ROLES</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">ROLE</span></code></p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">ALTER</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">KEYSPACES</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALTER</span> <span class="pre">KEYSPACE</span></code> and <code class="docutils literal notranslate"><span class="pre">ALTER</span> <span class="pre">TABLE</span></code> in any keyspace</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">ALTER</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">KEYSPACE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALTER</span> <span class="pre">KEYSPACE</span></code> and <code class="docutils literal notranslate"><span class="pre">ALTER</span> <span class="pre">TABLE</span></code> in specified keyspace</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">ALTER</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">TABLE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALTER</span> <span class="pre">TABLE</span></code></p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">ALTER</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">FUNCTIONS</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">FUNCTION</span></code> and <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">AGGREGATE</span></code>: replacing any existing</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">ALTER</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">FUNCTIONS</span> <span class="pre">IN</span> <span class="pre">KEYSPACE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">FUNCTION</span></code> and <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">AGGREGATE</span></code>: replacing existing in |
| specified keyspace</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">ALTER</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">FUNCTION</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">FUNCTION</span></code> and <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">AGGREGATE</span></code>: replacing existing</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">ALTER</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">ROLES</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALTER</span> <span class="pre">ROLE</span></code> on any role</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">ALTER</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ROLE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALTER</span> <span class="pre">ROLE</span></code></p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">DROP</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">KEYSPACES</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">DROP</span> <span class="pre">KEYSPACE</span></code> and <code class="docutils literal notranslate"><span class="pre">DROP</span> <span class="pre">TABLE</span></code> in any keyspace</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">DROP</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">KEYSPACE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">DROP</span> <span class="pre">TABLE</span></code> in specified keyspace</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">DROP</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">TABLE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">DROP</span> <span class="pre">TABLE</span></code></p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">DROP</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">FUNCTIONS</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">DROP</span> <span class="pre">FUNCTION</span></code> and <code class="docutils literal notranslate"><span class="pre">DROP</span> <span class="pre">AGGREGATE</span></code> in any keyspace</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">DROP</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">FUNCTIONS</span> <span class="pre">IN</span> <span class="pre">KEYSPACE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">DROP</span> <span class="pre">FUNCTION</span></code> and <code class="docutils literal notranslate"><span class="pre">DROP</span> <span class="pre">AGGREGATE</span></code> in specified keyspace</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">DROP</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">FUNCTION</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">DROP</span> <span class="pre">FUNCTION</span></code></p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">DROP</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">ROLES</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">DROP</span> <span class="pre">ROLE</span></code> on any role</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">DROP</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ROLE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">DROP</span> <span class="pre">ROLE</span></code></p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">SELECT</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">KEYSPACES</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">SELECT</span></code> on any table</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">SELECT</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">KEYSPACE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">SELECT</span></code> on any table in specified keyspace</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">SELECT</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">TABLE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">SELECT</span></code> on specified table</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">SELECT</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">MBEANS</span></code></p></td> |
| <td><p>Call getter methods on any mbean</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">SELECT</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">MBEANS</span></code></p></td> |
| <td><p>Call getter methods on any mbean matching a wildcard pattern</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">SELECT</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">MBEAN</span></code></p></td> |
| <td><p>Call getter methods on named mbean</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">MODIFY</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">KEYSPACES</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">INSERT</span></code>, <code class="docutils literal notranslate"><span class="pre">UPDATE</span></code>, <code class="docutils literal notranslate"><span class="pre">DELETE</span></code> and <code class="docutils literal notranslate"><span class="pre">TRUNCATE</span></code> on any table</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">MODIFY</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">KEYSPACE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">INSERT</span></code>, <code class="docutils literal notranslate"><span class="pre">UPDATE</span></code>, <code class="docutils literal notranslate"><span class="pre">DELETE</span></code> and <code class="docutils literal notranslate"><span class="pre">TRUNCATE</span></code> on any table in |
| specified keyspace</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">MODIFY</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">TABLE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">INSERT</span></code>, <code class="docutils literal notranslate"><span class="pre">UPDATE</span></code>, <code class="docutils literal notranslate"><span class="pre">DELETE</span></code> and <code class="docutils literal notranslate"><span class="pre">TRUNCATE</span></code> on specified table</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">MODIFY</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">MBEANS</span></code></p></td> |
| <td><p>Call setter methods on any mbean</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">MODIFY</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">MBEANS</span></code></p></td> |
| <td><p>Call setter methods on any mbean matching a wildcard pattern</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">MODIFY</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">MBEAN</span></code></p></td> |
| <td><p>Call setter methods on named mbean</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">AUTHORIZE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">KEYSPACES</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">GRANT</span> <span class="pre">PERMISSION</span></code> and <code class="docutils literal notranslate"><span class="pre">REVOKE</span> <span class="pre">PERMISSION</span></code> on any table</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">AUTHORIZE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">KEYSPACE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">GRANT</span> <span class="pre">PERMISSION</span></code> and <code class="docutils literal notranslate"><span class="pre">REVOKE</span> <span class="pre">PERMISSION</span></code> on any table in |
| specified keyspace</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">AUTHORIZE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">TABLE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">GRANT</span> <span class="pre">PERMISSION</span></code> and <code class="docutils literal notranslate"><span class="pre">REVOKE</span> <span class="pre">PERMISSION</span></code> on specified table</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">AUTHORIZE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">FUNCTIONS</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">GRANT</span> <span class="pre">PERMISSION</span></code> and <code class="docutils literal notranslate"><span class="pre">REVOKE</span> <span class="pre">PERMISSION</span></code> on any function</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">AUTHORIZE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">FUNCTIONS</span> <span class="pre">IN</span> <span class="pre">KEYSPACE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">GRANT</span> <span class="pre">PERMISSION</span></code> and <code class="docutils literal notranslate"><span class="pre">REVOKE</span> <span class="pre">PERMISSION</span></code> in specified keyspace</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">AUTHORIZE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">FUNCTION</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">GRANT</span> <span class="pre">PERMISSION</span></code> and <code class="docutils literal notranslate"><span class="pre">REVOKE</span> <span class="pre">PERMISSION</span></code> on specified function</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">AUTHORIZE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">MBEANS</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">GRANT</span> <span class="pre">PERMISSION</span></code> and <code class="docutils literal notranslate"><span class="pre">REVOKE</span> <span class="pre">PERMISSION</span></code> on any mbean</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">AUTHORIZE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">MBEANS</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">GRANT</span> <span class="pre">PERMISSION</span></code> and <code class="docutils literal notranslate"><span class="pre">REVOKE</span> <span class="pre">PERMISSION</span></code> on any mbean matching |
| a wildcard pattern</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">AUTHORIZE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">MBEAN</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">GRANT</span> <span class="pre">PERMISSION</span></code> and <code class="docutils literal notranslate"><span class="pre">REVOKE</span> <span class="pre">PERMISSION</span></code> on named mbean</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">AUTHORIZE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">ROLES</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">GRANT</span> <span class="pre">ROLE</span></code> and <code class="docutils literal notranslate"><span class="pre">REVOKE</span> <span class="pre">ROLE</span></code> on any role</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">AUTHORIZE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ROLES</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">GRANT</span> <span class="pre">ROLE</span></code> and <code class="docutils literal notranslate"><span class="pre">REVOKE</span> <span class="pre">ROLE</span></code> on specified roles</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">DESCRIBE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">ROLES</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">LIST</span> <span class="pre">ROLES</span></code> on all roles or only roles granted to another, |
| specified role</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">DESCRIBE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">MBEANS</span></code></p></td> |
| <td><p>Retrieve metadata about any mbean from the platform’s MBeanServer</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">DESCRIBE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">MBEANS</span></code></p></td> |
| <td><p>Retrieve metadata about any mbean matching a wildcard patter from the |
| platform’s MBeanServer</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">DESCRIBE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">MBEAN</span></code></p></td> |
| <td><p>Retrieve metadata about a named mbean from the platform’s MBeanServer</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">EXECUTE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">FUNCTIONS</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">SELECT</span></code>, <code class="docutils literal notranslate"><span class="pre">INSERT</span></code> and <code class="docutils literal notranslate"><span class="pre">UPDATE</span></code> using any function, and use of |
| any function in <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">AGGREGATE</span></code></p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">EXECUTE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">FUNCTIONS</span> <span class="pre">IN</span> <span class="pre">KEYSPACE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">SELECT</span></code>, <code class="docutils literal notranslate"><span class="pre">INSERT</span></code> and <code class="docutils literal notranslate"><span class="pre">UPDATE</span></code> using any function in specified |
| keyspace and use of any function in keyspace in <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">AGGREGATE</span></code></p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">EXECUTE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">FUNCTION</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">SELECT</span></code>, <code class="docutils literal notranslate"><span class="pre">INSERT</span></code> and <code class="docutils literal notranslate"><span class="pre">UPDATE</span></code> using specified function and use |
| of the function in <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">AGGREGATE</span></code></p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">EXECUTE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">ALL</span> <span class="pre">MBEANS</span></code></p></td> |
| <td><p>Execute operations on any mbean</p></td> |
| </tr> |
| <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">EXECUTE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">MBEANS</span></code></p></td> |
| <td><p>Execute operations on any mbean matching a wildcard pattern</p></td> |
| </tr> |
| <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">EXECUTE</span></code></p></td> |
| <td><p><code class="docutils literal notranslate"><span class="pre">MBEAN</span></code></p></td> |
| <td><p>Execute operations on named mbean</p></td> |
| </tr> |
| </tbody> |
| </table> |
| </div> |
| <div class="section" id="grant-permission"> |
| <span id="grant-permission-statement"></span><h3>GRANT PERMISSION<a class="headerlink" href="#grant-permission" title="Permalink to this headline">¶</a></h3> |
| <p>Granting a permission uses the <code class="docutils literal notranslate"><span class="pre">GRANT</span> <span class="pre">PERMISSION</span></code> statement:</p> |
| <pre> |
| <strong id="grammar-token-grant-permission-statement">grant_permission_statement</strong> ::= GRANT <a class="reference internal" href="#grammar-token-permissions"><code class="xref docutils literal notranslate"><span class="pre">permissions</span></code></a> ON <a class="reference internal" href="#grammar-token-resource"><code class="xref docutils literal notranslate"><span class="pre">resource</span></code></a> TO <a class="reference internal" href="#grammar-token-role-name"><code class="xref docutils literal notranslate"><span class="pre">role_name</span></code></a> |
| <strong id="grammar-token-permissions">permissions </strong> ::= ALL [ PERMISSIONS ] | <a class="reference internal" href="#grammar-token-permission"><code class="xref docutils literal notranslate"><span class="pre">permission</span></code></a> [ PERMISSION ] |
| <strong id="grammar-token-permission">permission </strong> ::= CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE | DESCRIBE | EXECUTE |
| <strong id="grammar-token-resource">resource </strong> ::= ALL KEYSPACES |
| | KEYSPACE <a class="reference internal" href="ddl.html#grammar-token-keyspace-name"><code class="xref docutils literal notranslate"><span class="pre">keyspace_name</span></code></a> |
| | [ TABLE ] <a class="reference internal" href="ddl.html#grammar-token-table-name"><code class="xref docutils literal notranslate"><span class="pre">table_name</span></code></a> |
| | ALL ROLES |
| | ROLE <a class="reference internal" href="#grammar-token-role-name"><code class="xref docutils literal notranslate"><span class="pre">role_name</span></code></a> |
| | ALL FUNCTIONS [ IN KEYSPACE <a class="reference internal" href="ddl.html#grammar-token-keyspace-name"><code class="xref docutils literal notranslate"><span class="pre">keyspace_name</span></code></a> ] |
| | FUNCTION <a class="reference internal" href="functions.html#grammar-token-function-name"><code class="xref docutils literal notranslate"><span class="pre">function_name</span></code></a> '(' [ <a class="reference internal" href="types.html#grammar-token-cql-type"><code class="xref docutils literal notranslate"><span class="pre">cql_type</span></code></a> ( ',' <a class="reference internal" href="types.html#grammar-token-cql-type"><code class="xref docutils literal notranslate"><span class="pre">cql_type</span></code></a> )* ] ')' |
| | ALL MBEANS |
| | ( MBEAN | MBEANS ) <a class="reference internal" href="definitions.html#grammar-token-string"><code class="xref docutils literal notranslate"><span class="pre">string</span></code></a> |
| </pre> |
| <p>For instance:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">GRANT</span> <span class="k">SELECT</span> <span class="k">ON</span> <span class="k">ALL</span> <span class="k">KEYSPACES</span> <span class="k">TO</span> <span class="n">data_reader</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| <p>This gives any user with the role <code class="docutils literal notranslate"><span class="pre">data_reader</span></code> permission to execute <code class="docutils literal notranslate"><span class="pre">SELECT</span></code> statements on any table across all |
| keyspaces:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">GRANT</span> <span class="k">MODIFY</span> <span class="k">ON</span> <span class="k">KEYSPACE</span> <span class="n">keyspace1</span> <span class="k">TO</span> <span class="n">data_writer</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| <p>This give any user with the role <code class="docutils literal notranslate"><span class="pre">data_writer</span></code> permission to perform <code class="docutils literal notranslate"><span class="pre">UPDATE</span></code>, <code class="docutils literal notranslate"><span class="pre">INSERT</span></code>, <code class="docutils literal notranslate"><span class="pre">UPDATE</span></code>, <code class="docutils literal notranslate"><span class="pre">DELETE</span></code> |
| and <code class="docutils literal notranslate"><span class="pre">TRUNCATE</span></code> queries on all tables in the <code class="docutils literal notranslate"><span class="pre">keyspace1</span></code> keyspace:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">GRANT</span> <span class="k">DROP</span> <span class="k">ON</span> <span class="n">keyspace1</span><span class="mf">.</span><span class="n">table1</span> <span class="k">TO</span> <span class="n">schema_owner</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| <p>This gives any user with the <code class="docutils literal notranslate"><span class="pre">schema_owner</span></code> role permissions to <code class="docutils literal notranslate"><span class="pre">DROP</span></code> <code class="docutils literal notranslate"><span class="pre">keyspace1.table1</span></code>:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">GRANT</span> <span class="k">EXECUTE</span> <span class="k">ON</span> <span class="k">FUNCTION</span> <span class="n">keyspace1</span><span class="mf">.</span><span class="n">user_function</span><span class="p">(</span> <span class="nb">int</span> <span class="p">)</span> <span class="k">TO</span> <span class="n">report_writer</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| <p>This grants any user with the <code class="docutils literal notranslate"><span class="pre">report_writer</span></code> role permission to execute <code class="docutils literal notranslate"><span class="pre">SELECT</span></code>, <code class="docutils literal notranslate"><span class="pre">INSERT</span></code> and <code class="docutils literal notranslate"><span class="pre">UPDATE</span></code> queries |
| which use the function <code class="docutils literal notranslate"><span class="pre">keyspace1.user_function(</span> <span class="pre">int</span> <span class="pre">)</span></code>:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">GRANT</span> <span class="k">DESCRIBE</span> <span class="k">ON</span> <span class="k">ALL</span> <span class="k">ROLES</span> <span class="k">TO</span> <span class="n">role_admin</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| <p>This grants any user with the <code class="docutils literal notranslate"><span class="pre">role_admin</span></code> role permission to view any and all roles in the system with a <code class="docutils literal notranslate"><span class="pre">LIST</span> |
| <span class="pre">ROLES</span></code> statement</p> |
| <div class="section" id="grant-all"> |
| <span id="id2"></span><h4>GRANT ALL<a class="headerlink" href="#grant-all" title="Permalink to this headline">¶</a></h4> |
| <p>When the <code class="docutils literal notranslate"><span class="pre">GRANT</span> <span class="pre">ALL</span></code> form is used, the appropriate set of permissions is determined automatically based on the target |
| resource.</p> |
| </div> |
| <div class="section" id="automatic-granting"> |
| <h4>Automatic Granting<a class="headerlink" href="#automatic-granting" title="Permalink to this headline">¶</a></h4> |
| <p>When a resource is created, via a <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">KEYSPACE</span></code>, <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">TABLE</span></code>, <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">FUNCTION</span></code>, <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">AGGREGATE</span></code> or |
| <code class="docutils literal notranslate"><span class="pre">CREATE</span> <span class="pre">ROLE</span></code> statement, the creator (the role the database user who issues the statement is identified as), is |
| automatically granted all applicable permissions on the new resource.</p> |
| </div> |
| </div> |
| <div class="section" id="revoke-permission"> |
| <span id="revoke-permission-statement"></span><h3>REVOKE PERMISSION<a class="headerlink" href="#revoke-permission" title="Permalink to this headline">¶</a></h3> |
| <p>Revoking a permission from a role uses the <code class="docutils literal notranslate"><span class="pre">REVOKE</span> <span class="pre">PERMISSION</span></code> statement:</p> |
| <pre> |
| <strong id="grammar-token-revoke-permission-statement">revoke_permission_statement</strong> ::= REVOKE <a class="reference internal" href="#grammar-token-permissions"><code class="xref docutils literal notranslate"><span class="pre">permissions</span></code></a> ON <a class="reference internal" href="#grammar-token-resource"><code class="xref docutils literal notranslate"><span class="pre">resource</span></code></a> FROM <a class="reference internal" href="#grammar-token-role-name"><code class="xref docutils literal notranslate"><span class="pre">role_name</span></code></a> |
| </pre> |
| <p>For instance:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">REVOKE</span> <span class="k">SELECT</span> <span class="k">ON</span> <span class="k">ALL</span> <span class="k">KEYSPACES</span> <span class="k">FROM</span> <span class="n">data_reader</span><span class="p">;</span> |
| <span class="k">REVOKE</span> <span class="k">MODIFY</span> <span class="k">ON</span> <span class="k">KEYSPACE</span> <span class="n">keyspace1</span> <span class="k">FROM</span> <span class="n">data_writer</span><span class="p">;</span> |
| <span class="k">REVOKE</span> <span class="k">DROP</span> <span class="k">ON</span> <span class="n">keyspace1</span><span class="mf">.</span><span class="n">table1</span> <span class="k">FROM</span> <span class="n">schema_owner</span><span class="p">;</span> |
| <span class="k">REVOKE</span> <span class="k">EXECUTE</span> <span class="k">ON</span> <span class="k">FUNCTION</span> <span class="n">keyspace1</span><span class="mf">.</span><span class="n">user_function</span><span class="p">(</span> <span class="nb">int</span> <span class="p">)</span> <span class="k">FROM</span> <span class="n">report_writer</span><span class="p">;</span> |
| <span class="k">REVOKE</span> <span class="k">DESCRIBE</span> <span class="k">ON</span> <span class="k">ALL</span> <span class="k">ROLES</span> <span class="k">FROM</span> <span class="n">role_admin</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| </div> |
| <div class="section" id="list-permissions"> |
| <span id="list-permissions-statement"></span><h3>LIST PERMISSIONS<a class="headerlink" href="#list-permissions" title="Permalink to this headline">¶</a></h3> |
| <p>Listing granted permissions uses the <code class="docutils literal notranslate"><span class="pre">LIST</span> <span class="pre">PERMISSIONS</span></code> statement:</p> |
| <pre> |
| <strong id="grammar-token-list-permissions-statement">list_permissions_statement</strong> ::= LIST <a class="reference internal" href="#grammar-token-permissions"><code class="xref docutils literal notranslate"><span class="pre">permissions</span></code></a> [ ON <a class="reference internal" href="#grammar-token-resource"><code class="xref docutils literal notranslate"><span class="pre">resource</span></code></a> ] [ OF <a class="reference internal" href="#grammar-token-role-name"><code class="xref docutils literal notranslate"><span class="pre">role_name</span></code></a> [ NORECURSIVE ] ] |
| </pre> |
| <p>For instance:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">LIST</span> <span class="k">ALL</span> <span class="k">PERMISSIONS</span> <span class="k">OF</span> <span class="n">alice</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| <p>Show all permissions granted to <code class="docutils literal notranslate"><span class="pre">alice</span></code>, including those acquired transitively from any other roles:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">LIST</span> <span class="k">ALL</span> <span class="k">PERMISSIONS</span> <span class="k">ON</span> <span class="n">keyspace1</span><span class="mf">.</span><span class="n">table1</span> <span class="k">OF</span> <span class="n">bob</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| <p>Show all permissions on <code class="docutils literal notranslate"><span class="pre">keyspace1.table1</span></code> granted to <code class="docutils literal notranslate"><span class="pre">bob</span></code>, including those acquired transitively from any other |
| roles. This also includes any permissions higher up the resource hierarchy which can be applied to <code class="docutils literal notranslate"><span class="pre">keyspace1.table1</span></code>. |
| For example, should <code class="docutils literal notranslate"><span class="pre">bob</span></code> have <code class="docutils literal notranslate"><span class="pre">ALTER</span></code> permission on <code class="docutils literal notranslate"><span class="pre">keyspace1</span></code>, that would be included in the results of this |
| query. Adding the <code class="docutils literal notranslate"><span class="pre">NORECURSIVE</span></code> switch restricts the results to only those permissions which were directly granted to |
| <code class="docutils literal notranslate"><span class="pre">bob</span></code> or one of <code class="docutils literal notranslate"><span class="pre">bob</span></code>’s roles:</p> |
| <div class="highlight-cql notranslate"><div class="highlight"><pre><span></span><span class="k">LIST</span> <span class="k">SELECT</span> <span class="k">PERMISSIONS</span> <span class="k">OF</span> <span class="n">carlos</span><span class="p">;</span> |
| </pre></div> |
| </div> |
| <p>Show any permissions granted to <code class="docutils literal notranslate"><span class="pre">carlos</span></code> or any of <code class="docutils literal notranslate"><span class="pre">carlos</span></code>’s roles, limited to <code class="docutils literal notranslate"><span class="pre">SELECT</span></code> permissions on any |
| resource.</p> |
| </div> |
| </div> |
| </div> |
| |
| |
| </div> |
| |
| </div> |
| <footer> |
| |
| <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation"> |
| |
| <a href="functions.html" class="btn btn-neutral float-right" title="Functions" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right"></span></a> |
| |
| |
| <a href="mvs.html" class="btn btn-neutral float-left" title="Materialized Views" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left"></span> Previous</a> |
| |
| </div> |
| |
| |
| <hr/> |
| |
| <div role="contentinfo"> |
| <p> |
| © Copyright 2016, The Apache Cassandra team |
| |
| </p> |
| </div> |
| Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/rtfd/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. |
| |
| </footer> |
| |
| </div> |
| </div> |
| |
| </section> |
| |
| </div> |
| |
| |
| |
| <script type="text/javascript"> |
| jQuery(function () { |
| SphinxRtdTheme.Navigation.enable(true); |
| }); |
| </script> |
| |
| |
| |
| |
| |
| |
| </body> |
| </html> |