Manage users and roles
Roles in YCQL can represent individual users or a group of users. Users are a role that has login permissions.
You manage roles and users using the CREATE ROLE, GRANT ROLE, REVOKE ROLE, and DROP ROLE statements.
YCQL and case sensitivity
Like CQL, YCQL is case-insensitive by default. When specifying an identifier, such as the name of a table or role, YCQL automatically converts the identifier to lowercase. For example,CREATE ROLE Alice
creates the role "alice". To use a case-sensitive name for an identifier, enclose the name in quotes. For example, to create the role "Alice", use CREATE ROLE "Alice"
.
Create roles
You can create roles with the CREATE ROLE command.
For example, to create a role engineering
for an engineering team in an organization, do the following (add the IF NOT EXISTS
clause in case the role already exists):
cassandra@ycqlsh> CREATE ROLE IF NOT EXISTS engineering;
Roles that have LOGIN
permissions are users. For example, create a user john
as follows:
cassandra@ycqlsh> CREATE ROLE IF NOT EXISTS john WITH PASSWORD = 'PasswdForJohn' AND LOGIN = true;
Read about how to create users in YugabyteDB in the authentication section.
Grant roles
You can grant a role to another role (which can be a user), or revoke a role that has already been granted. Executing the GRANT ROLE and the REVOKE ROLE operations requires the AUTHORIZE
permission on the role being granted or revoked.
For example, you can grant the engineering
role you created above to the user john
as follows:
cassandra@ycqlsh> GRANT engineering TO john;
Read more about granting privileges.
Create a hierarchy of roles
In YCQL, you can create a hierarchy of roles. The permissions of any role in the hierarchy flows downward.
For example, you can create a developer
role that inherits all the permissions from the engineering
role.
First, create the developer
role.
cassandra@ycqlsh> CREATE ROLE IF NOT EXISTS developer;
Next, GRANT
the engineering
role to the developer
role.
cassandra@ycqlsh> GRANT engineering TO developer;
List roles
You can list all the roles by running the following command:
cassandra@ycqlsh> SELECT role, can_login, is_superuser, member_of FROM system_auth.roles;
You should see the following output:
role | can_login | is_superuser | member_of
-------------+-----------+--------------+-----------------
john | True | False | ['engineering']
developer | False | False | ['engineering']
engineering | False | False | []
cassandra | True | True | []
(4 rows)
In the table above, note the following:
- The
cassandra
role is the built-in superuser. - The role
john
can log in, and hence is a user. Note thatjohn
is not a superuser. - The roles
engineering
anddeveloper
cannot log in. - Both
john
anddeveloper
inherit the roleengineering
.
Revoke roles
Revoke roles using the REVOKE ROLE command.
For example, you can revoke the engineering
role from the user john
as follows:
cassandra@ycqlsh> REVOKE engineering FROM john;
Listing all the roles now shows that john
no longer inherits from the engineering
role:
cassandra@ycqlsh> SELECT role, can_login, is_superuser, member_of FROM system_auth.roles;
role | can_login | is_superuser | member_of
-------------+-----------+--------------+-----------------
john | True | False | []
developer | False | False | ['engineering']
engineering | False | False | []
cassandra | True | True | []
(4 rows)
Drop roles
Drop roles using the DROP ROLE command.
For example, you can drop the developer
role with the following command:
cassandra@ycqlsh> DROP ROLE IF EXISTS developer;
The developer
role is no longer present when listing all the roles:
cassandra@ycqlsh> SELECT role, can_login, is_superuser, member_of FROM system_auth.roles;
role | can_login | is_superuser | member_of
-------------+-----------+--------------+-----------
john | True | False | []
engineering | False | False | []
cassandra | True | True | []
(3 rows)