Database Roles in CQL (Cassandra Query Language)

In this article we will discuss Database Roles in Cassandra Query Language. It is very important to create different role for different type of users to provide access with a specific requirements. It is used to provide security for Database users or group of users.

A Role name can be simply defined as following.

 role_name ::=  identifier | string
  1. CREATE ROLE:
    In CQL we can create role by using the CREATE command statement. CREATE command helps in creating role for users or group of users.
    Sntax :



    create_role_statement ::=  CREATE ROLE [ IF NOT EXISTS ] role_name
                                   [ WITH role_options ]
    role_options          ::=  role_option ( AND role_option )*
    role_option           ::=  PASSWORD '=' string
                              | LOGIN '=' boolean
                              | SUPERUSER '=' boolean
                              | OPTIONS '=' map_literal
                              | ACCESS TO DATACENTERS set_literal
                              | ACCESS TO ALL DATACENTERS 

    source

    syntax :
    CREATE ROLE new_role_name; 

    For example:
    To create simple user and super user Role then used the following CQL query.

    CREATE ROLE Ashish WITH PASSWORD = 'pass_a' 
                             AND LOGIN = true;
    CREATE ROLE Rana WITH PASSWORD = 'pass_r' 
                      AND LOGIN = true 
                      AND SUPERUSER = true;

    To create Database Roles for user with more restrictions such that if a user only able to access specific datacenters then to create such type of Role used the following CQL query.

    CREATE ROLE user1 WITH OPTIONS = { 'option1' : 'option1_value', 
                                       'option2' : 98 };
    CREATE ROLE Ashish WITH PASSWORD = 'pass_a' 
                        AND LOGIN = true 
                        AND ACCESS TO DATACENTERS {'DC1', 'DC4'};
    CREATE ROLE Rana WITH PASSWORD = 'pass_r' 
                      AND LOGIN = true 
                      AND ACCESS TO ALL DATACENTERS;

    If we want to create Role conditionally then we can used the following CQL query.

    CREATE ROLE IF NOT EXISTS role_name; 
  2. ALTER ROLE :
    If we want to change the existing Role which already created after that we can modify Role with ALTER ROLE statement.

    Syntax : 
    alter_role_statement ::=  ALTER ROLE role_name 
                              WITH role_options 

    For instance:
    Before Alter Role

    CREATE ROLE Rana WITH PASSWORD = 'pass_r' 
                           AND LOGIN = true 
                           AND SUPERUSER = true;

    After Alter Role

    ALTER ROLE Rana WITH PASSWORD = 'pass_r' 
                          AND SUPERUSER = false;
  3. DROP ROLE :
    If a user want to Drop Existing Role then we can used the following CQL query to drop the Role.
    syntax :

    drop_role_statement ::=  DROP ROLE [ IF EXISTS ] role_name

    For example:

    DROP ROLE Ashish;
  4. GRANT ROLE :
    It is used for granting the ROLE for other uses.
    syntax:


    grant_role_statement ::=  GRANT role_name 
                                      TO role_name

    For example:

    GRANT user1 TO Ashish;

    This statement grants the user1 role to Ashish. Any permissions granted to user1 are also acquired by Ashish.

  5. REVOKE ROLE :
    If a user want to revoke database role then we can used REVOKE ROLE statement.
    syntax:

     revoke_role_statement ::=  REVOKE role_name 
                                     FROM role_name

    For instance:

    REVOKE user1 FROM Ashish;

    Above CQL query statement revokes the user1 role from Ashish. Any permissions that Ashish has acquired via the user1 role are also revoked.

  6. LIST ROLE :
    If a user want to list all the Roles then we can used the following CQL query to list all the Roles.
    syntax :

    list_roles_statement ::=  LIST ROLES [ OF role_name ] 
                                              [ NORECURSIVE ]

    For instance:

    LIST ROLES;

    This CQL query statement returns all known roles in the system which requires DESCRIBE permission on the database roles resource.



My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.




Article Tags :
Practice Tags :


Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.