First of all I’d like to wish you all a happy new year! As the first post of 2017, I’m going to talk about the user management in Cassandra. Actually now it’s role based. Before the version 2.2 the Users existed. But after the version 2.2 Cassandra moved to role based access control. But Users are still exist in order to provide the backward compatibility. There are three main components to talk about here,
- Permissions – Allow or not to do a particluar thing to a resource
- Users – Have a set of permissions, password to login
- Roles – Same as Users
Also we need to do some changes to the cassandra-installtion-location/conf/cassandra.yaml file to enable login and permission. Otherwise by default it is disabled and will grant any user to login. We can check that by executing a command which need permission such as, LIST ROLES, then it will give an error.
Also we want be able to view permissions as well,
To enable both we need to change authenticator and authorizer as below,
Then restart the ./cassandra and login using the default user, cassandra.
Now we should be able to LIST USERS.
Permissions on resources are granted to roles; there are several different types of resources in Cassandra and each type is modeled hierarchically:
- The hierarchy of Data resources, Keyspaces and Tables has the structure
ALL KEYSPACES -> KEYSPACE -> TABLE.
- Function resources have the structure
ALL FUNCTIONS -> KEYSPACE -> FUNCTION
- Resources representing roles have the structure
ALL ROLES -> ROLE
- Resources representing JMX ObjectNames, which map to sets of MBeans/MXBeans, have the structure
ALL MBEANS -> MBEAN
Permissions can be granted at any level of these hierarchies and they flow downwards. So granting a permission on a resource higher up the chain automatically grants that same permission on all resources lower down. The full set of available permissions are,
But we can’t use all these permissions with all the resources. Here is the compatibility of permissions with the resources.
- Grant permission
GRANT <permission> ON <resource> TO <role>
- List permissions
LIST <permissions> ON <resource> OF <role>
- Revoke permissions
REVOKE <permission> ON <resource> FROM <role>
- Create role
CREATE ROLE <role-name> WITH PASSWORD = ‘<password>’ AND LOGIN = <true/false>
AND SUPERUSER = <true/false>
- List roles
- Alter roles
ALTER ROLE <role-name> WITH <option> = <value>
- Drop roles
DROP ROLE <role-name>
- Grant a role to a role – This will give all the permissions of the user one to the user two.
GRANT <role-one-name> TO <role-two-name>
- Revoke permissions from a role
REVOKE <role-one-name> FROM <role-two-name>
Same as Roles. We can view both users and roles by using LIST ROLES and LIST USERS. Both commands will list all the users and roles together. Because there is no difference in USERS and ROLES. As I mentioned earlier earlier versions had users and new versions after 2.2 use roles.
- Create user
CREATE USER <name>
- List users
- Alter users
ALTER USER <user-name> WITH <options>
- Drop users
DROP USER <user-name>
Hope now you have a clear idea about permissions, users and roles in Cassandra. These things are mandatory in security. See you soon with another important topic. Thank You!