Synopsis
Use the CREATE ROLE
statement to create a new role that is used to authenticate into YCQL and as a group of permissions is used to restrict operations on the database objects. Note that users are specific roles that are login enabled. There is no explicit CREATE USER
command in YCQL.
This statement is enabled by setting the YB-TServer flag --use_cassandra_authentication
to true
.
Syntax
Diagram
create_role
role_property
Grammar
create_role ::= CREATE ROLE [ IF NOT EXISTS ] role_name
[ WITH role_property [ AND ... ] ]
role_property ::= PASSWORD = <Text Literal>
| LOGIN = <Boolean Literal>
| SUPERUSER = <Boolean Literal>
Where
role_name
is a text identifier.
Semantics
- An error is raised if
role_name
already exists unless theIF NOT EXISTS
option is used. - By default, a role does not possess the
LOGIN
privilege norSUPERUSER
status. - A role with the
SUPERUSER
status possesses all the permissions on all the objects in the database even though they are not explicitly granted. - Only a role with the
SUPERUSER
status can create anotherSUPERUSER
role. - A role with the
LOGIN
privilege can be used to authenticate into YQL. - Only a client with the permission
CREATE
onALL ROLES
or with theSUPERUSER
status can create another role.
Examples
Create a simple role with no properties
ycqlsh:example> CREATE ROLE role1;
Create a SUPERUSER
role
ycqlsh:example> CREATE ROLE role2 WITH SUPERUSER = true;
Create a regular user with ability to log in
You can create a regular user with login privileges as shown below. Note the SUPERUSER
set to false
.
ycqlsh:example> CREATE ROLE role3 WITH SUPERUSER = false AND LOGIN = true AND PASSWORD = 'aid8134'