Join us on
Star us on
Get Started
Slack
GitHub
Get Started
v2.0 (latest version) v1.3 (earlier version) v1.2 (earlier version) v1.1 (earlier version) v1.0 (earlier version)
  • GET STARTED
    • Quick Start
      • 1. Install YugabyteDB
      • 2. Create Local Cluster
      • 3. Explore YSQL
      • 4. Build an app
        • Java
        • NodeJS
        • Go
        • Python
        • Ruby
        • C#
        • PHP
        • C++
        • C
    • Introduction
    • Explore Core
      • 1. Linear Scalability
      • 2. Fault Tolerance
      • 3. Global Distribution
      • 4. Auto Sharding
      • 5. Tunable Reads
      • 6. Observability
  • USER GUIDES
    • Develop
      • Learn App Dev
        • 1. SQL vs NoSQL
        • 2. Data Modeling
        • 3. Data Types
        • 4. ACID Transactions
        • 5. Aggregations
        • 6. Batch Operations
      • Ecosystem Integrations
        • Apache Kafka
        • Apache Spark
        • JanusGraph
        • KairosDB
        • Presto
        • Metabase
      • Real World Examples
        • E-Commerce App
        • IoT Fleet Management
        • Retail Analytics
      • Explore Sample Apps
    • Deploy
      • Checklist
      • Manual Deployment
        • 1. System Configuration
        • 2. Install Software
        • 3. Start YB-Masters
        • 4. Start YB-TServers
        • 5. Verify Deployment
      • Kubernetes
        • Helm Chart
        • Helm Configuration
        • Local SSD
      • Docker
      • Public Clouds
        • Amazon Web Services
        • Google Cloud Platform
        • Microsoft Azure
      • Pivotal Cloud Foundry
      • Enterprise Edition
        • 1. Prepare Cloud Env
        • 2. Install Admin Console
        • 3. Configure Admin Console
        • 4. Configure Cloud Providers
    • Benchmark
      • Performance
      • YCSB
      • Large Datasets
    • Secure
      • Security Checklist
      • Authentication
      • Authorization
        • 1. RBAC Model
        • 2. Create Roles
        • 3. Grant Permissions
      • TLS Encryption
        • 1. Prepare Nodes
        • 2. Server-Server Encryption
        • 3. Client-Server Encryption
        • 4. Connect to Cluster
    • Manage
      • Backup and Restore
        • Backing Up Data
        • Restoring Data
      • Data Migration
        • Bulk Import
        • Bulk Export
      • Change Cluster Config
      • Upgrade Deployment
      • Diagnostics Reporting
      • Enterprise Edition
        • Create Universe - Multi-Zone
        • Create Universe - Multi-Region
        • Edit Universe
        • Edit Config Flags
        • Health Checking and Alerts
        • Create/Edit Instance Tags
        • Node Status & Actions
        • Read Replicas
        • Backup & Restore
        • Upgrade Universe
        • Delete Universe
    • Troubleshoot
      • Troubleshooting Overview
      • Cluster Level Issues
        • YCQL Connection Issues
        • YEDIS Connection Issues
      • Node Level Issues
        • Check Processes
        • Inspect Logs
        • System Stats
      • Enterprise Edition
        • Troubleshoot Universes
  • REFERENCE
    • APIs
      • YSQL
        • Commands
          • ABORT
          • ALTER DOMAIN
          • ALTER TABLE
          • BEGIN TRANSACTION
          • COMMIT
          • COPY
          • CREATE DATABASE
          • CREATE DOMAIN
          • CREATE INDEX
          • CREATE SCHEMA
          • CREATE SEQUENCE
          • CREATE TABLE
          • CREATE TABLE AS
          • CREATE USER
          • CREATE VIEW
          • DEALLOCATE
          • DELETE
          • DROP DATABASE
          • DROP DOMAIN
          • DROP SEQUENCE
          • DROP TABLE
          • END TRANSACTION
          • EXECUTE
          • EXPLAIN
          • INSERT
          • PREPARE
          • RESET
          • ROLLBACK
          • SELECT
          • SET
          • SET TRANSACTION
          • SHOW
          • SHOW TRANSACTION
          • TRUNCATE
          • UPDATE
        • Datatypes
          • Binary
          • Boolean
          • Character
          • Date-time
          • Json
          • Money
          • Numeric
          • Serial
          • UUID
        • Expressions
          • currval()
          • lastval()
          • nextval()
        • Keywords
        • Reserved Names
      • YCQL
        • Quick Start YCQL
        • ALTER KEYSPACE
        • ALTER ROLE
        • ALTER TABLE
        • CREATE INDEX
        • CREATE KEYSPACE
        • CREATE ROLE
        • CREATE TABLE
        • CREATE TYPE
        • DROP INDEX
        • DROP KEYSPACE
        • DROP ROLE
        • DROP TABLE
        • DROP TYPE
        • GRANT PERMISSION
        • GRANT ROLE
        • REVOKE PERMISSION
        • REVOKE ROLE
        • USE
        • INSERT
        • SELECT
        • UPDATE
        • DELETE
        • TRANSACTION
        • TRUNCATE
        • Simple Value
        • Subscript
        • Function Call
        • Operator Call
        • BLOB
        • BOOLEAN
        • MAP, SET, LIST
        • FROZEN
        • INET
        • Integer & Counter
        • Non-Integer
        • TEXT
        • Date & Time Types
        • UUID & TIMEUUID
        • JSONB
        • Date & Time Functions
    • CLIs
      • yb-ctl
      • yb-docker-ctl
      • yb-master
      • yb-tserver
      • ysqlsh
      • cqlsh
    • Tools
      • TablePlus
  • RELEASES
    • Release History
      • v1.2.12
      • v1.2.11
      • v1.2.10
      • v1.2.9
      • v1.2.8
      • v1.2.6
      • v1.2.5
      • v1.2.4
  • CONCEPTS
    • Architecture
      • Design Goals
      • Layered Architecture
      • Basic Concepts
        • Universe
        • YB-TServer
        • YB-Master
        • Acknowledgements
      • Query Layer
        • Overview
      • DocDB Store
        • Sharding
        • Replication
        • Persistence
        • Performance
      • DocDB Transactions
        • Isolation Levels
        • Single Row Transactions
        • Distributed Transactions
        • Transactional IO Path
  • FAQ
    • Comparisons
      • CockroachDB
      • Google Cloud Spanner
      • MongoDB
      • FoundationDB
      • Amazon DynamoDB
      • Azure Cosmos DB
      • Apache Cassandra
      • Redis In-Memory Store
      • Apache HBase
    • Other FAQs
      • Product
      • Architecture
      • Enterprise Edition
      • API Compatibility
  • CONTRIBUTOR GUIDES
    • Get Involved
  • Misc
    • YEDIS
      • Quick Start
      • Develop
        • Client Drivers
          • C
          • C++
          • C#
          • Go
          • Java
          • NodeJS
          • Python
      • API Reference
        • APPEND
        • AUTH
        • CONFIG
        • CREATEDB
        • DELETEDB
        • LISTDB
        • SELECT
        • DEL
        • ECHO
        • EXISTS
        • EXPIRE
        • EXPIREAT
        • FLUSHALL
        • FLUSHDB
        • GET
        • GETRANGE
        • GETSET
        • HDEL
        • HEXISTS
        • HGET
        • HGETALL
        • HINCRBY
        • HKEYS
        • HLEN
        • HMGET
        • HMSET
        • HSET
        • HSTRLEN
        • HVALS
        • INCR
        • INCRBY
        • KEYS
        • MONITOR
        • PEXPIRE
        • PEXPIREAT
        • PTTL
        • ROLE
        • SADD
        • SCARD
        • RENAME
        • SET
        • SETEX
        • PSETEX
        • SETRANGE
        • SISMEMBER
        • SMEMBERS
        • SREM
        • STRLEN
        • ZRANGE
        • TSADD
        • TSCARD
        • TSGET
        • TSLASTN
        • TSRANGEBYTIME
        • TSREM
        • TSREVRANGEBYTIME
        • TTL
        • ZADD
        • ZCARD
        • ZRANGEBYSCORE
        • ZREM
        • ZREVRANGE
        • ZSCORE
        • PUBSUB
        • PUBLISH
        • SUBSCRIBE
        • UNSUBSCRIBE
        • PSUBSCRIBE
        • PUNSUBSCRIBE
> APIs > YCQL >

GRANT PERMISSION

Attention

This page documents an earlier version. Go to the latest (v2.0)version.

    • Synopsis
    • Syntax
      • Diagram
        • grant_permission
        • all_permissions
        • permission
        • resource
      • Grammar
    • Semantics
    • Permissions
      • Permissions needed to execute specific operations on a database object
    • Examples
      • Grant MODIFY permission on a table so role qa can insert rows into a table.
      • Grant SELECT permission on a table so role qa can read the table.
      • Grant CREATE permission on ALL KEYSPACES so role tests can create new keyspaces.
    • See Also

Synopsis

The GRANT PERMISSION statement is used to grant a permission (or all the available permissions) to a role.

When a database object is created (keyspace, table, or role), an automatic and explicit grant of all the permissions relevant to the object are granted to the role creating it.

This statment is enabled by setting the yb-tserver gflag use_cassandra_authentication to true.

Syntax

Diagram

grant_permission

GRANTall_permissionspermissionONresourceTOrole_name

all_permissions

ALLPERMISSIONS

permission

CREATEALTERDROPSELECTMODIFYAUTHORIZEDESCRIBEEXECUTEPERMISSION

resource

ALLKEYSPACESROLESKEYSPACEkeyspace_nameTABLEtable_nameROLErole_name

Grammar

grant_permission := GRANT all_permission | permission ON resource TO role_name;
all_permissions := ALL [ PERMISSIONS ]
permission :=  ( CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE | DESCRIBE | EXECUTE ) [ PERMISSION ]
resource := ALL ( KEYSPACES | ROLES ) | KEYSPACE keyspace_name | [ TABLE ] table_name | ROLE role_name;

Where

  • keyspace_name, table_name, and role_name are text identifiers (table_name may be qualified with a keyspace name).

Semantics

  • Permission AUTHORIZE on ALL ROLES or on the role being used in the statement is necessary. Otherwise, an unauthorized error will be returned.

Permissions

This section describes the permissions (represented by ALTER, AUTHORIZE, CREATE, DESCRIBE, DROP, MODIFY, and SELECT) that are necessary to execute operations on the database objects. A permission can be granted on a specific object (represented by resources KEYSPACE, TABLE, and ROLE) or on a whole group of objects (represented by resources ALL KEYSPACES, and ALL ROLES). Some permissions are granted implicitly, which means that you will never see them listed when you query system_auth.role_permissions table. Implicitly granted permissions follow these rules:

  • Any permission granted on ALL KEYSPACES is implicitly granted on every keyspace and table in the database.
  • Any permission granted on a specific KEYSPACE is implicitly granted to any table in that keyspace.
  • Any permission granted on ALL ROLES is implicitly granted on every role.

Permissions needed to execute specific operations on a database object

Operation Permission Resource
ALTER KEYSPACE ALTER ALL KEYSPACES, or KEYSPACE
ALTER ROLE ALTER ALL ROLES, or ROLE
ALTER TABLE ALTER ALL KEYSPACES, KEYSPACE, or TABLE
CREATE KEYSPACE CREATE ALL KEYSPACES
CREATE ROLE CREATE ALL ROLES
CREATE TABLE CREATE ALL KEYSPACES, KEYSPACE
DROP KEYSPACE DROP ALL KEYSPACES, or KEYSPACE
DROP ROLE DROP ALL ROLES, or ROLE
DROP TABLE DROP ALL KEYSPACES, KEYSPACE, or TABLE
GRANT PERMISSION or REVOKE PERMISSION on ALL KEYSPACES AUTHORIZE ALL KEYSPACES
GRANT PERMISSION or REVOKE PERMISSION on ALL ROLES AUTHORIZE ALL ROLES
GRANT PERMISSION or REVOKE PERMISSION on a keyspace AUTHORIZE ALL KEYSPACES, or KEYSPACE
GRANT PERMISSION or REVOKE PERMISSION on a role AUTHORIZE ALL ROLES, or ROLE
GRANT PERMISSION or REVOKE PERMISSION on a table AUTHORIZE ALL KEYSPACES, KEYSPACE, or TABLE
GRANT ROLE or REVOKE ROLE AUTHORIZE ALL ROLES, or ROLE
INSERT, UPDATE, DELETE, or TRUNCATE MODIFY ALL KEYSPACES, KEYSPACE, or TABLE
LIST ROLES (not yet implemented) DESCRIBE ALL ROLES
SELECT SELECT ALL KEYSPACES, KEYSPACE, or TABLE

Examples

Grant MODIFY permission on a table so role qa can insert rows into a table.

cqlsh:example> GRANT MODIFY ON TABLE performance_tests.metrics TO qa;

Grant SELECT permission on a table so role qa can read the table.

cqlsh:example> GRANT SELECT ON performance_tests.metrics TO qa;

Grant CREATE permission on ALL KEYSPACES so role tests can create new keyspaces.

cqlsh:example> GRANT CREATE ON ALL KEYSPACES TO tests;

See Also

ALTER ROLE DROP ROLE CREATE ROLE REVOKE ROLE GRANT PERMISSION REVOKE PERMISSION Other CQL Statements

    • Synopsis
    • Syntax
      • Diagram
        • grant_permission
        • all_permissions
        • permission
        • resource
      • Grammar
    • Semantics
    • Permissions
      • Permissions needed to execute specific operations on a database object
    • Examples
      • Grant MODIFY permission on a table so role qa can insert rows into a table.
      • Grant SELECT permission on a table so role qa can read the table.
      • Grant CREATE permission on ALL KEYSPACES so role tests can create new keyspaces.
    • See Also
APIs
DROP TYPE
APIs
GRANT ROLE
Talk to Community
  • Slack
  • Github
  • Forum
  • StackOverflow
Yugabyte
Contact Us
Copyright © 2017-2019 Yugabyte, Inc. All rights reserved.