Authorization is the process by where users are granted permissions which entitle them to access or change data on specific keyspaces, tables or an entire datacenter. Authorization for Scylla is done internally within Scylla and is not done with a third party such as LDAP or OAuth. Granting permissions to users requires the use of a role such as Database Administrator and requires a user who has been authenticated.
Authorization is enabled using the authorizer setting in scylla.yaml. Scylla has two authorizers available:
AllowAllAuthorizer(default setting) - which performs no checking and so effectively grants all permissions to all roles. This must be used if AllowAllAuthenticator is the configured authenticator.
ScyllaAuthorizer- which implements permission management functionality and stores its data in Scylla system tables.
Permissions are modeled as a whitelist, and as such, a given role has no access to any database resource, unless specified. The implication of this is that once authorization is enabled on a node, all requests will be rejected until the required permissions have been granted. For this reason, it is strongly recommended to perform the initial setup on a node which is not processing client requests.
The following assumes that authentication has already been enabled via the process outlined in Enable Authentication. Perform these steps to enable internal authorization across the cluster:
- On the selected node, edit scylla.yaml to change the authorizer option to ScyllaAuthorizer:
- Restart the node.
- Open a new cqlsh session using the credentials of a role with superuser credentials. For example:
cqlsh -u dba -p super
- Configure the appropriate access privileges for your clients using GRANT PERMISSION statements. On the other nodes, until configuration is updated and the node restarted, this will have no effect so disruption to clients is avoided.
GRANT SELECT ON ks.t1 TO db_user;
- Continue in this manner to grant permissions. Once all the necessary permissions have been granted, repeat steps 1 and 2 for each node in turn. As each node restarts and clients reconnect, the enforcement of the granted permissions will begin.
- To remove permission from any role or user, see REVOKE PERMISSION.
- Getting Started
- Scylla for Administrators
- Administration Guide
- Admin Tools
- Scylla Manager
- Upgrade Procedures
- System Configuration
- Scylla Security Checklist
- Enable Authentication
- Enable and Disable Authentication Without Downtime
- Enable Authorization
- Grant Authorization CQL Reference
- Role Based Access Control (RBAC)
- Scylla Auditing Guide
- Encryption: Data in Transit Client to Node
- Encryption: Data in Transit Node to Node
- Generating a self-signed Certificate Chain Using openssl
- Scylla for Developers
- Scylla Cloud
- Scylla Architecture
- Knowledge Base
- Scylla FAQ
- Contributing to Scylla