question

gmldba_107428 avatar image
gmldba_107428 asked Erick Ramirez answered

What are the minimum permissions required to create keyspaces?

Is there a way to grant permissions to create keyspaces? the CREATE can be granted at any of these elements: keyspace, table, function, role, index. Is there a way to grant permissions to create keyspaces without being super user. Would it be GRANT CREATE, ALTER, DROP ON ALL KEYSPACES TO rolename?

cassandraauthorization
10 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

Erick Ramirez avatar image
Erick Ramirez answered

All you need to do as a superuser is to grant the CREATE permission for all keyspaces to the role. Once you've done that, the role will automatically inherit all the other permissions such as create/alter/drop tables. Let me illustrate with an example.

Grant permission

As a superuser, I created a new user with:

superadmin@cqlsh> CREATE ROLE gmldba WITH LOGIN = true AND PASSWORD = 'TodayIsWednesday';

I granted the permission to gmldba:

superadmin@cqlsh> GRANT CREATE ON ALL KEYSPACES TO gmldba;

superadmin@cqlsh> LIST ALL PERMISSIONS OF gmldba;

 role   | username | resource        | permission
--------+----------+-----------------+------------
 gmldba |   gmldba | <all keyspaces> |     CREATE

Test keyspace

To test that the permissions work, I logged in as gmldba:

$ cqlsh 10.101.32.232 -u gmldba -p TodayIsWednesday

Then created a keyspace and a table:

gmldba@cqlsh> CREATE KEYSPACE playlist WITH replication = {'class': 'SimpleStrategy', 'replication_factor': 1 };
gmldba@cqlsh:playlist> CREATE TABLE songs ( title text, year int, artist text, PRIMARY KEY((title, year)));

A quick check of the permissions now shows that gmldba has full privileges on the new keyspace and table:

gmldba@cqlsh:playlist> LIST ALL PERMISSIONS OF gmldba;

 role   | username | resource                    | permission
--------+----------+-----------------------------+------------
 gmldba |   gmldba |             <all keyspaces> |     CREATE
 gmldba |   gmldba |         <keyspace playlist> |     CREATE
 gmldba |   gmldba |         <keyspace playlist> |      ALTER
 gmldba |   gmldba |         <keyspace playlist> |       DROP
 gmldba |   gmldba |         <keyspace playlist> |     SELECT
 gmldba |   gmldba |         <keyspace playlist> |     MODIFY
 gmldba |   gmldba |         <keyspace playlist> |  AUTHORIZE
 gmldba |   gmldba |      <table playlist.songs> |      ALTER
 gmldba |   gmldba |      <table playlist.songs> |       DROP
 gmldba |   gmldba |      <table playlist.songs> |     SELECT
 gmldba |   gmldba |      <table playlist.songs> |     MODIFY
 gmldba |   gmldba |      <table playlist.songs> |  AUTHORIZE
 gmldba |   gmldba | <all functions in playlist> |     CREATE
 gmldba |   gmldba | <all functions in playlist> |      ALTER
 gmldba |   gmldba | <all functions in playlist> |       DROP
 gmldba |   gmldba | <all functions in playlist> |  AUTHORIZE
 gmldba |   gmldba | <all functions in playlist> |    EXECUTE

If you need help with the syntax, see CQL GRANT. Cheers!

Share
10 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.