PLANNED MAINTENANCE

Hello, DataStax Community!

We want to make you aware of a few operational updates which will be carried out on the site. We are working hard to streamline the login process to integrate with other DataStax resources. As such, you will soon be prompted to update your password. Please note that your username will remain the same.

As we work to improve your user experience, please be aware that login to the DataStax Community will be unavailable for a few hours on:

  • Wednesday, July 15 16:00 PDT | 19:00 EDT | 20:00 BRT
  • Thursday, July 16 00:00 BST | 01:00 CEST | 04:30 IST | 07:00 CST | 09:00 AEST

For more info, check out the FAQ page. Thank you for being a valued member of our community.


question

gmldba_107428 avatar image
gmldba_107428 asked ·

What are the minimum permissions required to create keyspaces?

Is there a way to grant permissions to create keyspaces? the CREATE can be granted at any of these elements: keyspace, table, function, role, index. Is there a way to grant permissions to create keyspaces without being super user. Would it be GRANT CREATE, ALTER, DROP ON ALL KEYSPACES TO rolename?

cassandraauthorization
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

Erick Ramirez avatar image
Erick Ramirez answered ·

All you need to do as a superuser is to grant the CREATE permission for all keyspaces to the role. Once you've done that, the role will automatically inherit all the other permissions such as create/alter/drop tables. Let me illustrate with an example.

Grant permission

As a superuser, I created a new user with:

superadmin@cqlsh> CREATE ROLE gmldba WITH LOGIN = true AND PASSWORD = 'TodayIsWednesday';

I granted the permission to gmldba:

superadmin@cqlsh> GRANT CREATE ON ALL KEYSPACES TO gmldba;
superadmin@cqlsh> LIST ALL PERMISSIONS OF gmldba;

 role   | username | resource        | permission
--------+----------+-----------------+------------
 gmldba |   gmldba | <all keyspaces> |     CREATE

Test keyspace

To test that the permissions work, I logged in as gmldba:

$ cqlsh 10.101.32.232 -u gmldba -p TodayIsWednesday

Then created a keyspace and a table:

gmldba@cqlsh> CREATE KEYSPACE playlist WITH replication = {'class': 'SimpleStrategy', 'replication_factor': 1 };
gmldba@cqlsh:playlist> CREATE TABLE songs ( title text, year int, artist text, PRIMARY KEY((title, year)));

A quick check of the permissions now shows that gmldba has full privileges on the new keyspace and table:

gmldba@cqlsh:playlist> LIST ALL PERMISSIONS OF gmldba;

 role   | username | resource                    | permission
--------+----------+-----------------------------+------------
 gmldba |   gmldba |             <all keyspaces> |     CREATE
 gmldba |   gmldba |         <keyspace playlist> |     CREATE
 gmldba |   gmldba |         <keyspace playlist> |      ALTER
 gmldba |   gmldba |         <keyspace playlist> |       DROP
 gmldba |   gmldba |         <keyspace playlist> |     SELECT
 gmldba |   gmldba |         <keyspace playlist> |     MODIFY
 gmldba |   gmldba |         <keyspace playlist> |  AUTHORIZE
 gmldba |   gmldba |      <table playlist.songs> |      ALTER
 gmldba |   gmldba |      <table playlist.songs> |       DROP
 gmldba |   gmldba |      <table playlist.songs> |     SELECT
 gmldba |   gmldba |      <table playlist.songs> |     MODIFY
 gmldba |   gmldba |      <table playlist.songs> |  AUTHORIZE
 gmldba |   gmldba | <all functions in playlist> |     CREATE
 gmldba |   gmldba | <all functions in playlist> |      ALTER
 gmldba |   gmldba | <all functions in playlist> |       DROP
 gmldba |   gmldba | <all functions in playlist> |  AUTHORIZE
 gmldba |   gmldba | <all functions in playlist> |    EXECUTE

If you need help with the syntax, see CQL GRANT. Cheers!

Share
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.