Bringing together the Apache Cassandra experts from the community and DataStax.

Want to learn? Have a question? Want to share your expertise? You are in the right place!

Not sure where to begin? Getting Started

 

question

dshevchuk avatar image
dshevchuk asked ·

How do I restrict access to keyspaces?

I have a DSE 6.8.3 cluster installed by Lifecycle Manager with 2 datacenters: dc1 - Transactional, dc2 - Analytics Solo.

I have configured the security keyspaces replication factors and have executed on all nodes:

nodetool repair --full system_auth
nodetool repair --full dse_security

I have configured 2 auth schemes: internal (default) and ldap.

Role Manager mode is set to "ldap".

system_keyspaces_filtering is set to true.

I have created a role that represents my ldap group "myldapgroup":

CREATE ROLE myldapgroup WITH LOGIN = true;
GRANT EXECUTE on LDAP SCHEME to myldapgroup;

"myldapuser" is a member of "myldapgroup". When I log in via "myldapuser" it has access to all keyspaces.

I mean a situation when I have additional keyspaces:

app1_keyspace1
app1_keyspace2

And myldapuser is able to successfully execute

DROP KEYSPACE app1_keyspace1;

How to restrict default users access only to keyspaces that I directly grant access to?

security
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

Erick Ramirez avatar image
Erick Ramirez answered ·

In DSE Advanced Security, you need to configure Role Based Access Control to grant specific permissions to users. Note this feature requires both authentication and authorization to be enabled.

Control access to keyspaces with the GRANT and REVOKE commands. For example, to grant all permissions (including ALTER, MODIFY or DROP) on the keyspace app_ks to the role svc_account, run the following command as a superuser:

GRANT ALL PERMISSIONS ON KEYSPACE app_ks TO svc_account;

For details, see Controlling access to keyspaces and tables. For a list of resource permissions and examples, see the CQL pages for the GRANT and REVOKE commands. Cheers!

7 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Did I need directly restrict permissions for newly created roles?

I have 2 keyspaces: mykeyspace1 and mykeyspace2. I need that created role myldapgroup had access to only mykeyspace1 and do not have access to mykeyspace2.

So, in this case I need to execute:

  
                    
  1. CREATE ROLE myldapgroup WITH LOGIN = true;
  2. GRANT EXECUTE on LDAP SCHEME to myldapgroup;
  3. GRANT ALL PERMISSIONS ON KEYSPACE mykeyspace1 TO myldapgroup;
  4. REVOKE ALL PERMISSIONS ON KEYSPACE mykeyspace2 TO myldapgroup;

Is this right? Or I have misconfigured dse security?

0 Likes 0 · ·

Yes, you can go as far as revoking access for all roles and only grant it to one role if that's what you need. Cheers!

0 Likes 0 · ·
dshevchuk avatar image dshevchuk Erick Ramirez ♦♦ ·

Is this a default behavior? To revoke permissions? I though the right way is to grant permissions to a resources the role should have access to.

I think you don't understand my question.

0 Likes 0 · ·
Show more comments