Synopsis
Use the GRANT ROLE
statement to grant a role's permissions and SUPERUSER status to another role. More than one role can be granted to another role, and the receiving role will possess the union of all the permissions from the roles granted to it (either directly of indirectly through inheritance) plus the SUPERUSER status if any of the roles granted to it has it. For example, if A is granted to B, and B is granted to C, C will be granted all the permissions from A and B, and if either A or B is a SUPERUSER, then C will also be a SUPERUSER.
Granted roles form an acyclic graph, in other words, a role cannot be granted to any of the roles granted to it either directly or indirectly. For example, if A is granted to B, and B granted to C, C cannot be granted to neither A, B, nor C.
This statement is enabled by setting the YB-TServer flag --use_cassandra_authentication
to true
.
Syntax
Diagram
grant_role
Grammar
grant_role ::= GRANT ROLE role_name TO role_name
Where
role_name
is a text identifier.
Semantics
- Both roles must exist or an error will be raised.
- Permission
AUTHORIZE
onALL ROLES
or on the roles being used in the statement is necessary. Otherwise, an unauthorized error will be returned. - If a role is granted to any role granted to it (either directly or indirectly), an error will be raised.
Examples
ycqlsh:example> GRANT ROLE eng to robert;