Role Based Access Control (RBAC)¶
Introduced in Scylla 2.2, Role Based Access Control (RBAC) is a method of reducing lists of authorized users to a few roles assigned to multiple users. RBAC is sometimes referred to as role-based security.
Roles supersede users, and generalize them. In addition to doing with roles everything that you could previously do with users in older versions of Scylla, roles can be granted to other roles. If a role developer is granted to manager, then all permissions of developer are granted to manager.
In order to distinguish roles which correspond uniquely to an individual person and roles which are representative of a group, any role that can login is a user. Within that framework you can conclude that all users are roles, but not all roles are users.
For example there is an organization with a role based hierarchy. The organization has roles such as Guest who is not a member of the organization has the least amount of privileges. The DB Administrator role has the most. Engineer and QA roles have similar privileges but do not have permission to modify each other’s keyspace. Creating a structure like this is quite useful when you have permissions granted to representative roles instead of individual users. Using RBAC allows you to add and remove permissions with ease without affecting other users. Suppose there is a new engineer which joined the organization. This is not a problem! All you would do is create a user for that engineer with the engineer role. Once the role is assigned to the user the user inherits all of the permissions for that role. In the same manner, should someone leave the organization, all you would have to do is assign that user to a non-employee role (Guest, for example). Should someone change positions at the company, just assign the user to the new role.
To build an RBAC environment, you need to create the roles and their associated permissions and then assign or grant the roles to the individual users. Roles inherit the permissions of any other roles that they are granted. The hierarchy of roles can be either simple or extremely complex. This gives great flexibility to database administrators, where they can create specific permission conditions without incurring a huge administrative burden.
When creating a role, you grant it permissions and resources. The permission is what the role is permitted to do and the resource is the scope over which the permission is granted for. The format of the permission granting is:
GRANT (permission | "ALL PERMISSIONS") ON resource TO role where:
- Where permission is CREATE, DESCRIBE, etc.
- A resource is one of
- “KEYSPACE <ks>”
- “ALL KEYSPACES”
- “ROLE <role>”
- “ALL ROLES”
- Note that An unqualified table name assumes the current keyspace
This is a use case which is given as an example. You should modify the commands to your organization’s requirements. In an insurance company there are agents and supervisors. As there are thousands of agents and hundreds of supervisors the company has instituted RBAC for their organization. Each agent is able to add information to the customer database and read information from the customer database but only supervisors can remove records. There is also a database administrator who manages the database users. As the agents and supervisors have scope over the same tables and keyspaces, the role distribution diagram looks like the following:
In this case three roles would be created: agent, supervisor, and administrator.
The agent would have the following permissions:
- CREATE, DESCRIBE, and MODIFY only the customer.data table
- SELECT all keyspaces
The supervisor on the other hand would be able to do everything an agent could plus: * CREATE, DESCRIBE, SELECT and MODIFY all keyspaces and tables * ALTER and DROP only from the customer.data table.
The administrator role has all permissions to do everything.
1. Create the Agent role. It is best to start your hierarchy from the bottom. Creating the agent role first allows you to grant it to the supervisor which you will do in a later step.
CREATE ROLE agent;
2. Set the permission settings for agent. According to our list above, the agent role would be granted permissions by running the following commands:
GRANT CREATE ON customer.data TO agent; GRANT DESCRIBE ON customer.data TO agent; GRANT SELECT ON ALL KEYSPACES TO agent; GRANT MODIFY ON customer.data TO agent; ...
Continue until all of the permissions have been granted to the agent role.
- Ceate the supervisor role.
CREATE ROLE supervisor;
- Assign all the agent role to the supervisor role. In this way the supervisor inherits the agent role’s permissions.
GRANT agent TO supervisor;
- With the supervisor role created and granted the basic agent permission settings, give the supervisor the additional permissions that the role requires.
GRANT ALTER ON customer.data TO supervisor; GRANT DROP ON customer.data TO supervisor; GRANT CREATE ON ALL KEYSPACES TO supervisor; GRANT DESCRIBE ON ALL KEYSPACES TO supervisor; GRANT MODIFY ON ALL KEYSPACES TO supervisor;
- Now create the database administrator role.
CREATE ROLE administrator WITH SUPERUSER = true
This role already has complete read and write permissions on all tables and keyspaces and does not need to be granted anything else. The superuser permission setting is by default disabled. Only for the administrator does it need to be enabled.
7. Create users and assign the roles to them. This is done in the same fashion as the role, but the password and login information are added. In this example Lisa is an agent, Mary is the supervisor, and Dennis is the admin.
CREATE ROLE 'lisa.bennett' WITH SUPERUSER = false AND LOGIN = true AND PASSWORD = 'abcInsuranceAgent';
CREATE ROLE 'mary.williams' WITH SUPERUSER = false AND LOGIN = true AND PASSWORD = 'abcInsuranceSupervisor';
CREATE ROLE 'dennis.smith' WITH SUPERUSER = true AND LOGIN = true AND PASSWORD = 'abcInsuranceAdmin'
- Assign the roles to the users.
GRANT agent TO 'lisa.bennett'; GRANT supervisor TO 'mary.williams'; GRANT administrator TO 'dennis.smith';
- Check that each user has the privileges they should have.
LIST ALL PERMISSIONS OF agent; ╭──────┬──────────────┬──────────────────────────┬─────────────╮ │ role │ username │ resource │ permission │ ├──────┼──────────────┼──────────────────────────┼─────────────┤ │agent │ lisa.bennett │ keyspace customer.data │ CREATE │ ├──────┼──────────────┼──────────────────────────┼─────────────┤ │agent │ lisa.bennett │ keyspace customer.data │ DESCRIBE │ ├──────┼──────────────┼──────────────────────────┼─────────────┤ │agent │ lisa.bennett │ keyspace customer.data │ MODIFY │ ╰──────┴──────────────┴──────────────────────────┴─────────────╯