PLANNED MAINTENANCE

Hello, DataStax Community!

We want to make you aware of a few operational updates which will be carried out on the site. We are working hard to streamline the login process to integrate with other DataStax resources. As such, you will soon be prompted to update your password. Please note that your username will remain the same.

As we work to improve your user experience, please be aware that login to the DataStax Community will be unavailable for a few hours on:

  • Wednesday, July 15 16:00 PDT | 19:00 EDT | 20:00 BRT
  • Thursday, July 16 00:00 BST | 01:00 CEST | 04:30 IST | 07:00 CST | 09:00 AEST

For more info, check out the FAQ page. Thank you for being a valued member of our community.


question

sebastien.fouquette_160564 avatar image
sebastien.fouquette_160564 asked ·

Is it possible to restrict a role to only have permissions on tables for a given keyspace with RBAC?

Hello,


We would like to restrict the role to be able to create, modify, drop tables in his keyspace,

Letting the role to freely create any table and after that, alter that table , without having to give an other grant


But would not need that role to be able to alter the topology strategy of the keyspace.


We have tried with 'grant all permission on keyspace .. to … but it is apparently not fitting what I want.


Thanks

Sébastien

rbac
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Erick Ramirez avatar image
Erick Ramirez answered ·

@sebastien.fouquette_160564 If I understood correctly, your requirements are:

  • not allow ALTER KEYSPACE
  • allow CREATE, MODIFY, DROP for tables in a given keyspace

EDIT: Apologies that I didn't completely understand your requirements previously. I've edited my answer now to fit your needs.

You only need to grant the CREATE permission on the keyspace to achieve the above requirements. To illustrate, here is an example keyspace:

admin@cqlsh> CREATE KEYSPACE playground WITH replication = {'class': 'SimpleStrategy', 'replication_factor': 1 } ;

I granted the CREATE permission to the role sebastien:

admin@cqlsh> GRANT CREATE ON KEYSPACE playground TO sebastien ;

To verify that the permission has been granted:

admin@cqlsh:playground> LIST ALL PERMISSIONS OF sebastien ;

 role      | username  | resource              | permission | granted | restricted | grantable
-----------+-----------+-----------------------+------------+---------+------------+-----------
 sebastien | sebastien | <keyspace playground> |     CREATE |    True |      False |     False

This should allow me to login as the role sebastien and create a new table:

$ cqlsh -u sebastien
sebastien@cqlsh> USE playground ;
sebastien@cqlsh:playground> CREATE TABLE users (name text PRIMARY KEY, col_text text);

NOTE: A role which creates a resource (a table in this example) is automatically granted all the permissions to manage it.

Since the role sebastien created the table users, it will automatically inherit all the permissions on the table:

admin@cqlsh:playground> LIST ALL PERMISSIONS OF sebastien ;

 role      | username  | resource                 | permission | granted | restricted | grantable
-----------+-----------+--------------------------+------------+---------+------------+-----------
 sebastien | sebastien |    <keyspace playground> |     CREATE |    True |      False |     False
 sebastien | sebastien | <table playground.users> |      ALTER |    True |      False |     False
 sebastien | sebastien | <table playground.users> |       DROP |    True |      False |     False
 sebastien | sebastien | <table playground.users> |     SELECT |    True |      False |     False
 sebastien | sebastien | <table playground.users> |     MODIFY |    True |      False |     False
 sebastien | sebastien | <table playground.users> |  AUTHORIZE |    True |      False |     False

If the sebastien role attempts to alter the keyspace, it will result in an unauthorized error:

sebastien@cqlsh:playground> ALTER KEYSPACE playground WITH replication = {'class': 'NetworkTopologyStrategy', 'Cassandra' : 1 } ;
Unauthorized: Error from server: code=2100 [Unauthorized] message="User sebastien has no ALTER permission on <keyspace playground> or any of its parents"

Let me know if this isn't what you're after. Cheers!

4 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Hello,

I am not able to grants those privileges.

grant CREATE TABLE, ALTER TABLE, DROP TABLE, MODIFY on keyspace seb_keyspace_dev01 to seb_kso_dev01;

SyntaxException: line 1:13 mismatched input 'TABLE' expecting K_ON (grant CREATE [TABLE]...)


Thanks

Sébastien

0 Likes 0 · ·
Erick Ramirez avatar image Erick Ramirez ♦♦ sebastien.fouquette_160564 ·

@sebastien.fouquette_160564 apologies for giving you the wrong answer. I've edited my response now showing details of how I tested it to fit your needs. Let me know what you think. Cheers!

0 Likes 0 · ·

Hello Erick

This is perfectly what I was looking for.

Thanks

Sébastien

0 Likes 0 · ·
Erick Ramirez avatar image Erick Ramirez ♦♦ sebastien.fouquette_160564 ·

Fantastic. Thanks for letting us know. Cheers!

0 Likes 0 · ·
Cedrick Lunven avatar image
Cedrick Lunven answered ·

Hi @sebastien.fouquette_160564,


You build a wrong statement, you should use `TABLE` only if you provide also the table name.


  • If you want to all on EACH TABLE, FUNCTIONS, UDT objects in the keyspace:
GRANT CREATE,ALTER,DROP,MODIFY on KEYSPACE seb_keyspace_dev01 TO seb_kso_dev01;


  • If you want to specially spot one table then you provide table name


GRANT DROP ON seb_keyspace_dev01.my_table TO seb_kso_dev01;
GRANT DROP TABLE my_table on KEYSPACE seb_keyspace_dev01 TO seb_kso_dev01;


+ seb_kso_dev01 seems to be a user_name. I would advice to use role names here instead


Here are some documentation you might find useful:

DOC OSS:

https://cassandra.apache.org/doc/latest/cql/security.html#grant-permission

DOC DATASTAX:

https://docs.datastax.com/en/dse/6.7/cql/cql/cql_reference/cql_commands/cqlGrant.html

Enjoy!

1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Hi, The grant alter on keyspace to a role will give the rights

  • to alter the tables in that keyspace (add a column for ex)
  • to alter the keyspace definition itself.

Would that be possible to not allow the alter keyspace definition, but freely let the role alter any table ?

Thanks in advance for your support.

Sébastien

0 Likes 0 · ·