Managing object permissions using internal authorization
You use the familiar relational database GRANT/REVOKE paradigm to grant or revoke permissions to access Cassandra data. A superuser grants initial permissions, and subsequently a user may or may not be given the permission to grant/revoke permissions. Object permission management is independent of authentication (works with Kerberos or Cassandra).
CQL 3 supports the following authorization statements, which are described in the CQL alphabetical security command reference:
Accessing system resources¶
Read access to these system tables is implicitly given to every authenticated user because the tables are used by most Cassandra tools:
CassandraAuthorizer is one of many possible IAuthorizer implementations, and the one that stores permissions in the system_auth.permissions table to support all authorization-related CQL 3 statements. Configuration consists mainly of changing the authorizer option in the cassandra.yaml as described in Configuring internal authentication and authorization.