Synopsis

Use the GRANT ROLE statement to grant a role's permissions and SUPERUSER status to another role. More than one role can be granted to another role, and the receiving role will possess the union of all the permissions from the roles granted to it (either directly of indirectly through inheritance) plus the SUPERUSER status if any of the roles granted to it has it. For example, if A is granted to B, and B is granted to C, C will be granted all the permissions from A and B, and if either A or B is a SUPERUSER, then C will also be a SUPERUSER.

Granted roles form an acyclic graph, in other words, a role cannot be granted to any of the roles granted to it either directly or indirectly. For example, if A is granted to B, and B granted to C, C cannot be granted to neither A, B, nor C.

This statement is enabled by setting the YB-TServer flag --use_cassandra_authentication to true.

Syntax

Diagram

grant_role

GRANTrole_nameTOrole_name

Grammar

grant_role ::= GRANT ROLE role_name TO role_name

Where

  • role_name is a text identifier.

Semantics

  • Both roles must exist or an error will be raised.
  • Permission AUTHORIZE on ALL ROLES or on the roles being used in the statement is necessary. Otherwise, an unauthorized error will be returned.
  • If a role is granted to any role granted to it (either directly or indirectly), an error will be raised.

Examples

ycqlsh:example> GRANT ROLE eng to robert;

See also