How do I properly grant permissions to a specific keyspace to a user and validate it?

Question

In short, the statement GRANT SELECt ON KEYSPACE AAA TO user; not take effect when executing LIST ALL PERMISSIONS OF user;.

I find nothing when I google this.

Answer 1

First, I would like to point out the receipe which will help you in asking a good question in this forum which will inturn help readers to help triage your problem in full. Please see here for the same.

Having said that, your question doesn't have enough information like the version of Apache Cassandra™ that is used here, actual CQL statements with the output of the command, the actual keyspace name (with case) to help you out further effectively.

I am going to make an educated guess here and try to help you out. If something is not correct, please update your original question with additional details and we could help you out further correctly.

Assumptions:

• Open Source Apache Cassandra™ is in use here.
• Version unknown at this time.
• The keyspace name is case-sensitive and it is all upper case as AAA.
• The cluster has been setup and is running properly without issues.
• You've configured the client authentication appropriately.
• You're logged in as a super user and is attempting to grant permissions to another user role.

Granting SELECT permission for the role user via CQL shell:

cqlsh> GRANT SELECT ON "AAA" TO user;

Notice here that since the keyspace name is all in upper case, we are providing quotes around it to preserve the case. This gives the user role user with the role data_reader permission to execute SELECT statements on any table on AAA keyspace only.

Now, one could verify the permissions of the user role by issuing:

cqlsh> LIST ALL PERMISSIONS OF user;

See https://cassandra.apache.org/doc/4.1/cassandra/cql/cql_singlefile.html#grantPermissionsStmt & https://cassandra.apache.org/doc/4.1/cassandra/cql/security.html documentation for further details.

Answer 2

Assuming you have enabled both authentication and authorization in your cluster, I am unable to replicate the issue you reported.

Here are the steps I performed to grant a permission to a CQL ROLE:

STEP A1 - Connect with cqlsh as a superuser.

STEP A2 - Create a new keyspace:

admin@cqlsh> CREATE KEYSPACE stackoverflow \
  WITH replication = {'class': 'SimpleStrategy', 'replication_factor': 1};

STEP A3 - Create a new role:

admin@cqlsh> CREATE ROLE zhang WITH LOGIN = true ;

STEP A4 - Grant SELECT permission for the new keyspace:

admin@cqlsh> GRANT SELECT ON KEYSPACE stackoverflow TO zhang;

STEP A5 - Verify that the permission was granted:

admin@cqlsh> LIST ALL PERMISSIONS OF zhang;

 role  | username | resource                 | permission
-------+----------+--------------------------+------------
 zhang |    zhang | <keyspace stackoverflow> |     SELECT

Just in case you are using the deprecated CQL USER, I ran a similar test as follows:

STEP B1 - Create a new user:

admin@cqlsh> CREATE USER ming WITH PASSWORD 'password';

STEP B2 - Grant SELECT permission for the new keyspace:

admin@cqlsh> GRANT SELECT ON KEYSPACE stackoverflow TO ming;

STEP B3 - Verify that the permission was granted:

admin@cqlsh> LIST ALL PERMISSIONS OF ming;

 role | username | resource                 | permission
------+----------+--------------------------+------------
 ming |     ming | <keyspace stackoverflow> |     SELECT

As you can see in both instances, I was able to successfully grant permissions to the keyspace.

If you're still having issues, please update your original questions with:

• clear steps on how to replicate the problem,
• full error message(s) you got (if any),
• full error message + full stack trace in the logs (if any),

and I would be happy to review them. Cheers!