Data Control Language (DCL) statements in Lindorm CQL manage database roles and permissions. This topic covers the syntax and usage of each DCL statement.
Key concepts
In Lindorm Cassandra Query Language (CQL), users are represented as database roles. Lindorm CQL supports similar role operations to Apache CQL.
Role name syntax:
role_name ::= identifier | stringBy default, database roles have neither logon permissions nor superuser permissions.
Permission model
Permissions apply to a hierarchy of resources. Granting a permission at a higher level automatically cascades to all resources below it:
ALL KEYSPACES → KEYSPACE → TABLEFor example, granting SELECT on a keyspace automatically grants SELECT on every table in that keyspace.
Lindorm CQL supports five permission types: CREATE, ALTER, DROP, SELECT, and MODIFY.
The following table shows which resources each permission applies to and what statements it enables.
| Permission | Resource | Statements enabled |
|---|---|---|
CREATE | ALL KEYSPACES | CREATE KEYSPACES and CREATE TABLE |
CREATE | KEYSPACE | CREATE TABLE |
ALTER | ALL KEYSPACES | ALTER KEYSPACES and ALTER TABLE |
ALTER | KEYSPACE | ALTER TABLE |
DROP | ALL KEYSPACES | DROP KEYSPACES and DROP TABLE |
DROP | KEYSPACE | DROP TABLE |
SELECT | ALL KEYSPACES | SELECT KEYSPACES and SELECT TABLE |
SELECT | KEYSPACE | SELECT TABLE |
SELECT | TABLE | SELECT |
MODIFY | ALL KEYSPACES | MODIFY KEYSPACES and MODIFY TABLE |
MODIFY | KEYSPACE | MODIFY TABLE |
MODIFY | TABLE | MODIFY |
CREATE ROLE
Creates a database role.
Syntax
create_role_statement ::= CREATE ROLE [ IF NOT EXISTS ] role_name
[ WITH role_options ]
role_options ::= role_option ( AND role_option )*
role_option ::= PASSWORD '=' string
| LOGIN '=' boolean
| SUPERUSER '=' boolean
| OPTIONS '=' map_literalParameters
| Parameter | Description |
|---|---|
role_name | The name of the database role. |
PASSWORD | The password used to log on to the database. Required. |
LOGIN | Whether the role can log on to the database. Default: false. When a client connects using a role with LOGIN = true, the client is identified as that role and inherits all permissions assigned to it. |
SUPERUSER | Whether the role has superuser privileges. Default: false. A superuser can: create other superusers; execute DROP KEYSPACE, DROP TABLE, and TRUNCATE; grant permissions on keyspaces and tables to any role; and create permission hierarchies. |
OPTIONS | A map of additional options. |
Examples
Create a role with logon access:
CREATE ROLE role1 WITH PASSWORD = 'password_a' AND LOGIN = true;Create a role with logon access and superuser privileges:
CREATE ROLE role2 WITH PASSWORD = 'password_b' AND LOGIN = true AND SUPERUSER = true;ALTER ROLE
Modifies an existing database role.
Syntax
alter_role_statement ::= ALTER ROLE role_name WITH role_optionsThe parameters are the same as for CREATE ROLE. See the Parameters section above.
Use ALTER ROLE to change the logon password, logon permissions, or superuser status of a database role.
Example
Remove superuser status from bob and change the password:
ALTER ROLE bob WITH PASSWORD = 'PASSWORD_B' AND SUPERUSER = false;DROP ROLE
Deletes a database role.
Syntax
drop_role_statement ::= DROP ROLE [ IF EXISTS ] role_nameParameters
| Parameter | Description |
|---|---|
role_name | The name of the database role to delete. |
Conditions for executing DROP ROLE:
The client must have
DELETEpermission on the target role.Roles that are currently logged on cannot be deleted.
Only a superuser can delete a role that has
SUPERUSER = true.Without
IF EXISTS: dropping a nonexistent role returns an error.With
IF EXISTS: dropping a nonexistent role is a no-op.
Examples
Delete a role:
DROP ROLE bob;Delete a role without error if it does not exist:
DROP ROLE IF EXISTS bob;LIST ROLES
Displays database roles.
Syntax
list_roles_statement ::= LIST ROLES [ OF role_name ]Parameters
| Parameter | Description |
|---|---|
role_name | (Optional) The name of the database role to inspect. |
Examples
List all roles. Only superusers can execute this statement:
LIST ROLES;List the details of a specific role:
LIST ROLES OF role1;GRANT PERMISSION
Grants permissions on a resource to a database role.
Syntax
grant_permission_statement ::= GRANT permissions ON resource TO role_name
permissions ::= ALL [ PERMISSIONS ] | permission [ PERMISSION ]
permission ::= CREATE | ALTER | DROP | SELECT | MODIFY
resource ::= ALL KEYSPACES
| KEYSPACE keyspace_name
| [ TABLE ] table_nameParameters
| Parameter | Description |
|---|---|
role_name | The database role to grant permissions to. |
permission | The permission type: CREATE, ALTER, DROP, SELECT, or MODIFY. Use ALL PERMISSIONS to grant all five at once. |
resource | The resource scope: ALL KEYSPACES, KEYSPACE keyspace_name, or TABLE table_name. |
keyspace_name | The name of the keyspace. |
table_name | The name of the table. |
Examples
Grant SELECT on all keyspaces — allows the role to run SELECT on any table in the cluster:
GRANT SELECT ON ALL KEYSPACES TO role;Grant SELECT on a specific keyspace — allows the role to run SELECT on any table in ks:
GRANT SELECT ON KEYSPACE ks TO role;REVOKE PERMISSION
Revokes permissions from a database role.
Syntax
revoke_permission_statement ::= REVOKE permissions ON resource FROM role_nameThe parameters are the same as for GRANT PERMISSION. See the Parameters section above.
Example
Revoke SELECT on all keyspaces from a role:
REVOKE SELECT ON ALL KEYSPACES FROM role;LIST PERMISSIONS
Displays the permissions granted on resources.
Syntax
list_permissions_statement ::= LIST permissions [ ON resource ] [ OF role_name ]Parameters
| Parameter | Description |
|---|---|
permissions | The permission type to filter by, or ALL PERMISSIONS to list all. |
resource | (Optional) Restrict results to a specific resource. If omitted, permissions on all resources are returned. |
role_name | The database role to inspect. Required unless the client is a superuser. |
Examples
List all permissions for a role across all resources:
LIST ALL PERMISSIONS OF role;List all permissions for a role on a specific keyspace:
LIST ALL PERMISSIONS ON KEYSPACE kss OF role;