Enable authentication in cassandra.yaml using following 2 properties.

authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer

Login to cqlsh using default password for "cassandra" role

$ cqlsh -u cassandra -p cassandra

Update the existing cassandra

cqlsh> ALTER ROLE cassandra WITH PASSWORD = '<some_secure_pasword>'; 

Create a new role with password for the cassandra role.

cqlsh> CREATE ROLE dba WITH PASSWORD = '<some_secure_pasword>' AND SUPERUSER = true AND LOGIN = true;


Cassandra supports role based authorization. From data access point of view, table level permission is the most granular permission allowed in Cassandra. Column level, row level or cell level permissions are not allowed at this moment.

Login to cqlsh using cassandra user name

$ bin/cqlsh -u cassandra -p cassandra
Connected to Test Cluster at
[cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.

Create a role name - api.

cassandra@cqlsh> CREATE ROLE api WITH PASSWORD = 'pass123' AND SUPERUSER = true AND LOGIN = true;
cassandra@cqlsh> list roles;

 role      | super | login | options
       api | False |  True |        {}
 cassandra |  True |  True |        {}

Create a employees keyspace, create two tables and insert some sample records

cassandra@cqlsh> create KEYSPACE employees WITH replication = {'class': 'SimpleStrategy', 'replication_factor': 1};
cassandra@cqlsh> use employees;
cassandra@cqlsh:employees> create table employee(id int primary key, name text);
cassandra@cqlsh:employees> insert into employee(id, name) values (1, 'user 01');
cassandra@cqlsh:employees> create table salary(emp_id int primary key, salary int);
cassandra@cqlsh:employees> insert into salary(emp_id, salary) values (1, 100000);

Grant select permission to employees.employee table but revoke SELECT access from employees.salary.

cassandra@cqlsh:employees> GRANT SELECT ON TABLE employees.employee TO api;
cassandra@cqlsh:employees> REVOKE SELECT ON TABLE employees.salary FROM api;
cassandra@cqlsh:employees> LIST ALL PERMISSIONS OF api;

 role | username | resource                   | permission
  api |      api | <table employees.employee> |     SELECT

In another terminal login to cqlsh using api role.

$ bin/cqlsh -u api -p pass123  
[cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
api@cqlsh> use employees;

Try to run select statement on employee table and salary tables.

api@cqlsh:employees> select * from employee;

 id | name
  1 | user 01

api@cqlsh:employees> select * from salary;
Unauthorized: Error from server: code=2100 [Unauthorized] message="User api has no SELECT permission on <table employees.salary> or any of its parents"

As expected, we could query employee table but not the salary table.

Permissions can be granted on:

  • CREATE - keyspace, table, function, role, index
  • ALTER - keyspace, table, function, role
  • DROP - keyspace, table, function, role, index
  • SELECT - keyspace, table
  • AUTHORIZE - GRANT PERMISSION, REVOKE PERMISSION - keyspace, table, function, and role

See here for more details

Enable Remote JMX

SSL Driver for Cassandra