DCL

更新时间:
复制 MD 格式

Data Control Language (DCL) statements in Lindorm CQL manage database roles and permissions. This topic covers the syntax and usage of each DCL statement.

Key concepts

In Lindorm Cassandra Query Language (CQL), users are represented as database roles. Lindorm CQL supports similar role operations to Apache CQL.

Role name syntax:

role_name ::= identifier | string

By default, database roles have neither logon permissions nor superuser permissions.

Permission model

Permissions apply to a hierarchy of resources. Granting a permission at a higher level automatically cascades to all resources below it:

ALL KEYSPACES → KEYSPACE → TABLE

For example, granting SELECT on a keyspace automatically grants SELECT on every table in that keyspace.

Permission changes take effect immediately. Clients do not need to re-establish connections.

Lindorm CQL supports five permission types: CREATE, ALTER, DROP, SELECT, and MODIFY.

The following table shows which resources each permission applies to and what statements it enables.

Granting a permission on an unsupported resource returns an error.
PermissionResourceStatements enabled
CREATEALL KEYSPACESCREATE KEYSPACES and CREATE TABLE
CREATEKEYSPACECREATE TABLE
ALTERALL KEYSPACESALTER KEYSPACES and ALTER TABLE
ALTERKEYSPACEALTER TABLE
DROPALL KEYSPACESDROP KEYSPACES and DROP TABLE
DROPKEYSPACEDROP TABLE
SELECTALL KEYSPACESSELECT KEYSPACES and SELECT TABLE
SELECTKEYSPACESELECT TABLE
SELECTTABLESELECT
MODIFYALL KEYSPACESMODIFY KEYSPACES and MODIFY TABLE
MODIFYKEYSPACEMODIFY TABLE
MODIFYTABLEMODIFY

CREATE ROLE

Creates a database role.

Syntax

create_role_statement ::=  CREATE ROLE [ IF NOT EXISTS ] role_name
                               [ WITH role_options ]
role_options          ::=  role_option ( AND role_option )*
role_option           ::=  PASSWORD '=' string
                          | LOGIN '=' boolean
                          | SUPERUSER '=' boolean
                          | OPTIONS '=' map_literal

Parameters

ParameterDescription
role_nameThe name of the database role.
PASSWORDThe password used to log on to the database. Required.
LOGINWhether the role can log on to the database. Default: false. When a client connects using a role with LOGIN = true, the client is identified as that role and inherits all permissions assigned to it.
SUPERUSERWhether the role has superuser privileges. Default: false. A superuser can: create other superusers; execute DROP KEYSPACE, DROP TABLE, and TRUNCATE; grant permissions on keyspaces and tables to any role; and create permission hierarchies.
OPTIONSA map of additional options.

Examples

Create a role with logon access:

CREATE ROLE role1 WITH PASSWORD = 'password_a' AND LOGIN = true;

Create a role with logon access and superuser privileges:

CREATE ROLE role2 WITH PASSWORD = 'password_b' AND LOGIN = true AND SUPERUSER = true;

ALTER ROLE

Modifies an existing database role.

Syntax

alter_role_statement ::=  ALTER ROLE role_name WITH role_options

The parameters are the same as for CREATE ROLE. See the Parameters section above.

Use ALTER ROLE to change the logon password, logon permissions, or superuser status of a database role.

Example

Remove superuser status from bob and change the password:

ALTER ROLE bob WITH PASSWORD = 'PASSWORD_B' AND SUPERUSER = false;

DROP ROLE

Deletes a database role.

Syntax

drop_role_statement ::=  DROP ROLE [ IF EXISTS ] role_name

Parameters

ParameterDescription
role_nameThe name of the database role to delete.

Conditions for executing DROP ROLE:

  • The client must have DELETE permission on the target role.

  • Roles that are currently logged on cannot be deleted.

  • Only a superuser can delete a role that has SUPERUSER = true.

  • Without IF EXISTS: dropping a nonexistent role returns an error.

  • With IF EXISTS: dropping a nonexistent role is a no-op.

Examples

Delete a role:

DROP ROLE bob;

Delete a role without error if it does not exist:

DROP ROLE IF EXISTS bob;

LIST ROLES

Displays database roles.

Syntax

list_roles_statement ::=  LIST ROLES [ OF role_name ]

Parameters

ParameterDescription
role_name(Optional) The name of the database role to inspect.

Examples

List all roles. Only superusers can execute this statement:

LIST ROLES;

List the details of a specific role:

LIST ROLES OF role1;

GRANT PERMISSION

Grants permissions on a resource to a database role.

Syntax

grant_permission_statement ::=  GRANT permissions ON resource TO role_name
permissions                ::=  ALL [ PERMISSIONS ] | permission [ PERMISSION ]
permission                 ::=  CREATE | ALTER | DROP | SELECT | MODIFY
resource                   ::=  ALL KEYSPACES
                               | KEYSPACE keyspace_name
                               | [ TABLE ] table_name

Parameters

ParameterDescription
role_nameThe database role to grant permissions to.
permissionThe permission type: CREATE, ALTER, DROP, SELECT, or MODIFY. Use ALL PERMISSIONS to grant all five at once.
resourceThe resource scope: ALL KEYSPACES, KEYSPACE keyspace_name, or TABLE table_name.
keyspace_nameThe name of the keyspace.
table_nameThe name of the table.

Examples

Grant SELECT on all keyspaces — allows the role to run SELECT on any table in the cluster:

GRANT SELECT ON ALL KEYSPACES TO role;

Grant SELECT on a specific keyspace — allows the role to run SELECT on any table in ks:

GRANT SELECT ON KEYSPACE ks TO role;

REVOKE PERMISSION

Revokes permissions from a database role.

Syntax

revoke_permission_statement ::=  REVOKE permissions ON resource FROM role_name

The parameters are the same as for GRANT PERMISSION. See the Parameters section above.

Example

Revoke SELECT on all keyspaces from a role:

REVOKE SELECT ON ALL KEYSPACES FROM role;

LIST PERMISSIONS

Displays the permissions granted on resources.

Syntax

list_permissions_statement ::=  LIST permissions [ ON resource ] [ OF role_name ]

Parameters

ParameterDescription
permissionsThe permission type to filter by, or ALL PERMISSIONS to list all.
resource(Optional) Restrict results to a specific resource. If omitted, permissions on all resources are returned.
role_nameThe database role to inspect. Required unless the client is a superuser.

Examples

List all permissions for a role across all resources:

LIST ALL PERMISSIONS OF role;

List all permissions for a role on a specific keyspace:

LIST ALL PERMISSIONS ON KEYSPACE kss OF role;