Let us explore how we can create the various types of roles in a Cassandra cluster.
Cassandra Create Role Command Syntax
The following snippet shows the syntax of the create role in Cassandra:
[WITH SUPERUSER = true | false
| LOGIN = true | false
| PASSWORD = 'password'
| OPTIONS = option_map]
The following are the parameters in the given syntax:
- Role_name – This specifies the name that is used to identify a given role. Keep in mind that Cassandra will not letter case unless the name is enclosed in quotation marks.
- SUPERUSER – Setting the SUPERUSER value to true automatically grants AUTHORIZE, GRANT, and DROP on all roles. This allows the superusers to manage the other roles in the database.
- LOGIN – If set to true, the created role is treated as a standard account, allowing that username to log in with a username and password. By default, this value is set to false.
- PASSWORD – It specifies the password with which the role will use to login. Pair this value with LOGIN = true. Otherwise, skip.
- OPTIONS – Specifies the options for configured authentication plugins.
Example 1: Create a Login Account
The following example shows how to create a login user using the CREATE ROLE command:
... WITH PASSWORD = 'password'
... AND LOGIN = true;
Setting the PASSWORD and LOGIN = true allows you to create a standard user. You can then login into the server with the created user as follows:
LOGIN linuxhint
The command prompts you to enter a password for the specified username. Once authenticated, the prompt should reflect the logged-in user as:
Example 2: Creating a Role
To create a Cassandra role, we can run the following command:
The given command creates a new role called admin. Keep in mind that a role does not contain any permissions by default.
We can assign a role with various permissions using the GRANT command. For example, we can assign ALL permissions to the admin role on a given keyspace by running the following command:
The previous command assigns ALL PERMISSIONS to the admin role on the Linuxhint keyspace.
We can then assign the role to a specific user as shown in the following:
The previous command assigns the admin role to the Linuxhint user.
We can view the permissions of the user with the following command:
Output
-------+----------+----------------------+------------
admin | admin | <keyspace linuxhint> | CREATE
admin | admin | <keyspace linuxhint> | ALTER
admin | admin | <keyspace linuxhint> | DROP
admin | admin | <keyspace linuxhint> | SELECT
admin | admin | <keyspace linuxhint> | MODIFY
admin | admin | <keyspace linuxhint> | AUTHORIZE
(6 rows)
The command returns the detailed permission information including the role to which that username belongs, the target keyspace, and the permissions.
Cassandra Revoke Roles
If you want to remove a specific permission from a role, you can use the REVOKE command as shown in the following syntax:
ON object_name
FROM role_name
If you wish to remove a permission from a given role where the permission refers to specific permission, these permissions include:
- ALL PERMISSIONS
- ALTER
- AUTHORIZE
- CREATE
- DESCRIBE
- DROP
- EXECUTE
- MODIFY
- SELECT
The object name refers to the target object on which the permission applies. These include databases, functions, roles, tables, etc.
For example, to remove all permission from the admin role that we created earlier, we can run the following command:
The previous command revokes the permission from the admin role on all keyspaces.
Conclusion
This post covers working with the roles and permissions in Cassandra using the CQL commands.
Happy coding!
