ScyllaDB University LIVE, FREE Virtual Training Event | March 21
Register for Free
ScyllaDB Documentation Logo Documentation
  • Server
  • Cloud
  • Tools
    • ScyllaDB Manager
    • ScyllaDB Monitoring Stack
    • ScyllaDB Operator
  • Drivers
    • CQL Drivers
    • DynamoDB Drivers
  • Resources
    • ScyllaDB University
    • Community Forum
    • Tutorials
Download
ScyllaDB Docs ScyllaDB Enterprise ScyllaDB for Administrators Security LDAP Authorization (Role Management)

Caution

You're viewing documentation for a previous version. Switch to the latest stable version.

LDAP Authorization (Role Management)¶

Scylla customers can manage and authorize users’ privileges via an LDAP server. LDAP is an open, vendor-neutral, industry-standard protocol for accessing and maintaining distributed user access control over a standard IP network. If your users are already stored in an LDAP directory, you can now use the same LDAP server to regulate their roles in Scylla.

Introduction¶

Scylla can use LDAP to manage which roles a user has. This behavior is triggered by setting the role_manager entry in scylla.yaml to com.scylladb.auth.LDAPRoleManager. When this role manager is chosen, Scylla forbids GRANT and REVOKE role statements (CQL commands) as all users get their roles from the contents in the LDAP directory.

Note

Scylla still allows GRANT and REVOKE permission statements, such as GRANT permission ON resource TO role, which are handled by the authorizer, not role manager. This allows permissions to be granted to and revoked from LDAP-managed roles. In addition, if you have nested Scylla roles, LDAP authorization does not allow them. A role cannot be a member of another role. In LDAP only login users can be members of a role.

When LDAP Authorization is enabled and a Scylla user authenticates to Scylla, a query is sent to the LDAP server, whose response sets the user’s roles for that login session. The user keeps the granted roles until logout; any subsequent changes to the LDAP directory are only effective at the user’s next login to Scylla.

The precise form of the LDAP query is configured by Scylla administrator in the scylla.yaml configuration file. This configuration takes the form of a query template which is defined in the scylla.yaml configuration file using the parameter ldap_url_template. The value of ldap_url_template parameter should contain a valid LDAP URL (e.g., as returned by the ldapurl utility from OpenLDAP) representing an LDAP query that returns entries for all the user’s roles. Scylla will replace the text {USER} in the URL with the user’s Scylla username before querying LDAP.

Workflow¶

Before you begin On your LDAP server, create LDAP directory entries for Scylla users and roles.

Workflow

  1. Create a Query Template

  2. Ensure Scylla has the same users and roles as listed in the LDAP directory.

  3. Enable LDAP as the role manager in Scylla

  4. Make Scylla reload the configuration (SIGHUP or restart)

Example: Query Template¶

Use this example to create a query that will retrieve from your LDAP server the information you need to create a template. For example, this template URL will query LDAP server at localhost:5000 for all entries under base_dn that list the user’s username as one of their uniqueMember attribute values:

ldap://localhost:5000/base_dn?cn?sub?(uniqueMember={USER})

After Scylla queries LDAP and obtains the resulting entries, it looks for a particular attribute in each entry and uses that attribute’s value as a Scylla role this user will have. The name of this attribute can be configured in scylla.yaml by setting the ldap_attr_role parameter there.

When the LDAP query returns multiple entries, multiple roles will be granted to the user. Each role must already exist in Scylla, created via the CREATE ROLE CQL command beforehand.

For example, if the LDAP query returns the following results:

# extended LDIF
#
# LDAPv3

# role1, example.com
dn: cn=role1,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: role1
scyllaName: sn1
uniqueMember: uid=jsmith,ou=People,dc=example,dc=com
uniqueMember: uid=cassandra,ou=People,dc=example,dc=com

# role2, example.com
dn: cn=role2,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: role2
scyllaName: sn2
uniqueMember: uid=cassandra,ou=People,dc=example,dc=com

# role3, example.com
dn: cn=role3,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: role3
uniqueMember: uid=jdoe,ou=People,dc=example,dc=com

If ldap_attr_role is set to cn, then the resulting role set will be { role1, role2, role3 } (assuming, of course, that these roles already exist in Scylla). However, if ldap_attr_role is set to scyllaName, then the resulting role set will be { sn1, sn2 }. If an LDAP entry does not have the ldap_attr_role attribute, it is simply ignored. Before Scylla attempts to query the LDAP server, it first performs an LDAP bind operation, to gain access to the directory information. Scylla executes a simple bind with credentials configured in scylla.yaml. The parameters ldap_bind_dn and ldap_bind_passwd must contain, respectively, the distinguished name and password that Scylla uses to perform the simple bind.

Enable LDAP Authorization¶

Enables Scylla to use LDAP Authorization. LDAP will manage the roles, not Scylla. See Note above

  1. Open the scylla.yaml file in an editor. The file is located in /etc/scylla/scylla.yaml by default.

  2. Edit the role_manager section. Change the entry to com.scylladb.auth.LDAPRoleManager. If this section does not exist, add it to the file. Configure the parameters according to your organization’s IT and Security Policy.

    role_manager: "com.scylladb.auth.LDAPRoleManager"
    ldap_url_template: "ldap://localhost:123/dc=example,dc=com?cn?sub?(uniqueMember=uid={USER},ou=People,dc=example,dc=com)"
    ldap_attr_role: "cn"
    ldap_bind_dn: "cn=root,dc=example,dc=com"
    ldap_bind_passwd: "secret"
    
  3. Restart the scylla-server service or kill the scylla process.

    sudo systemctl restart scylla-server
    
    docker exec -it some-scylla supervisorctl restart scylla
    

    (without restarting some-scylla container)

Disable LDAP Authorization¶

  1. Open the scylla.yaml file in an editor. The file is located in /etc/scylla/scylla.yaml by default.

  2. Comment out or delete the role_manager section.

  3. Restart the scylla-server service or kill the scylla process.

    sudo systemctl restart scylla-server
    
    docker exec -it some-scylla supervisorctl restart scylla
    

    (without restarting some-scylla container)

Troubleshooting¶

Before configuring Scylla, it is a good idea to validate the query template by manually ensuring that the LDAP server returns the correct entries when queried. This can be accomplished by using an LDAP search tool such as ldapsearch.

If manual querying does not yield correct results, then Scylla cannot see correct results, either. Try to adjust ldapsearch parameters until it returns the correct role entries for one user.

Once that works as expected, you can use the ldapurl utility to transform the parameters into a URL providing a basis for the ldap_url_template.

Tip

Always provide an explicit -s flag to both ldapsearch and ldapurl; the default -s value differs among the two tools.

Remember to replace the specific user name with {USER} in the URL template. You can turn on debug logging in the LDAP role manager by passing the following argument to the Scylla executable: --logger-log-level ldap_role_manager=debug. This will make Scylla log useful additional details about the LDAP responses it receives.

If ldapsearch yields expected results but Scylla queries do not, first check the host and port parts of the URL template and make sure both ldapsearch and Scylla are actually querying the same LDAP server. Then check the LDAP logs and see if there are any subtle differences between the logged queries of ldapsearch and Scylla.

Was this page helpful?

PREVIOUS
LDAP Authentication
NEXT
Software Bill Of Materials (SBOM)
  • Create an issue

On this page

  • LDAP Authorization (Role Management)
    • Introduction
    • Workflow
      • Example: Query Template
    • Enable LDAP Authorization
    • Disable LDAP Authorization
    • Troubleshooting
ScyllaDB Enterprise
  • enterprise
    • 2024.2
    • 2024.1
    • 2023.1
    • 2022.2
  • Getting Started
    • Install ScyllaDB Enterprise
      • ScyllaDB Web Installer for Linux
      • Install ScyllaDB Without root Privileges
      • Install scylla-jmx Package
      • Air-gapped Server Installation
      • ScyllaDB Housekeeping and how to disable it
      • ScyllaDB Developer Mode
      • Launch ScyllaDB on AWS
      • Launch ScyllaDB on GCP
      • Launch ScyllaDB on Azure
    • Configure ScyllaDB
    • ScyllaDB Configuration Reference
    • ScyllaDB Requirements
      • System Requirements
      • OS Support
      • Cloud Instance Recommendations
      • ScyllaDB in a Shared Environment
    • Migrate to ScyllaDB
      • Migration Process from Cassandra to ScyllaDB
      • ScyllaDB and Apache Cassandra Compatibility
      • Migration Tools Overview
    • Integration Solutions
      • Integrate ScyllaDB with Spark
      • Integrate ScyllaDB with KairosDB
      • Integrate ScyllaDB with Presto
      • Integrate ScyllaDB with Elasticsearch
      • Integrate ScyllaDB with Kubernetes
      • Integrate ScyllaDB with the JanusGraph Graph Data System
      • Integrate ScyllaDB with DataDog
      • Integrate ScyllaDB with Kafka
      • Integrate ScyllaDB with IOTA Chronicle
      • Integrate ScyllaDB with Spring
      • Shard-Aware Kafka Connector for ScyllaDB
      • Install ScyllaDB with Ansible
      • Integrate ScyllaDB with Databricks
      • Integrate ScyllaDB with Jaeger Server
      • Integrate ScyllaDB with MindsDB
    • Tutorials
  • ScyllaDB for Administrators
    • Administration Guide
    • Procedures
      • Cluster Management
      • Backup & Restore
      • Change Configuration
      • Maintenance
      • Best Practices
      • Benchmarking ScyllaDB
      • Migrate from Cassandra to ScyllaDB
      • Disable Housekeeping
    • Security
      • ScyllaDB Security Checklist
      • Enable Authentication
      • Enable and Disable Authentication Without Downtime
      • Creating a Custom Superuser
      • Generate a cqlshrc File
      • Reset Authenticator Password
      • Enable Authorization
      • Grant Authorization CQL Reference
      • Certificate-based Authentication
      • Role Based Access Control (RBAC)
      • ScyllaDB Auditing Guide
      • Encryption: Data in Transit Client to Node
      • Encryption: Data in Transit Node to Node
      • Generating a self-signed Certificate Chain Using openssl
      • Configure SaslauthdAuthenticator
      • Encryption at Rest
      • LDAP Authentication
      • LDAP Authorization (Role Management)
      • Software Bill Of Materials (SBOM)
    • Admin Tools
      • Nodetool Reference
      • CQLSh
      • Admin REST API
      • Tracing
      • ScyllaDB SStable
      • ScyllaDB Types
      • SSTableLoader
      • cassandra-stress
      • SSTabledump
      • SSTableMetadata
      • ScyllaDB Logs
      • Seastar Perftune
      • Virtual Tables
      • Reading mutation fragments
      • Maintenance socket
      • Maintenance mode
      • Task manager
    • Version Support Policy
    • ScyllaDB Monitoring Stack
    • ScyllaDB Operator
    • ScyllaDB Manager
    • Upgrade Procedures
      • About Upgrade
      • Upgrade Guides
    • System Configuration
      • System Configuration Guide
      • scylla.yaml
      • ScyllaDB Snitches
    • Benchmarking ScyllaDB
    • ScyllaDB Diagnostic Tools
  • ScyllaDB for Developers
    • Develop with ScyllaDB
    • Tutorials and Example Projects
    • Learn to Use ScyllaDB
    • ScyllaDB Alternator
    • ScyllaDB Drivers
      • ScyllaDB CQL Drivers
      • ScyllaDB DynamoDB Drivers
  • CQL Reference
    • CQLSh: the CQL shell
    • Appendices
    • Compaction
    • Consistency Levels
    • Consistency Level Calculator
    • Data Definition
    • Data Manipulation
      • SELECT
      • INSERT
      • UPDATE
      • DELETE
      • BATCH
    • Data Types
    • Definitions
    • Global Secondary Indexes
    • Expiring Data with Time to Live (TTL)
    • Functions
    • Wasm support for user-defined functions
    • JSON Support
    • Materialized Views
    • Non-Reserved CQL Keywords
    • Reserved CQL Keywords
    • DESCRIBE SCHEMA
    • Service Levels
    • ScyllaDB CQL Extensions
  • Features
    • Lightweight Transactions
    • Global Secondary Indexes
    • Local Secondary Indexes
    • Materialized Views
    • Counters
    • Change Data Capture
      • CDC Overview
      • The CDC Log Table
      • Basic operations in CDC
      • CDC Streams
      • CDC Stream Generations
      • Querying CDC Streams
      • Advanced column types
      • Preimages and postimages
      • Data Consistency in CDC
    • Workload Attributes
    • Workload Prioritization
  • ScyllaDB Architecture
    • Data Distribution with Tablets
    • ScyllaDB Ring Architecture
    • ScyllaDB Fault Tolerance
    • Consistency Level Console Demo
    • ScyllaDB Anti-Entropy
      • ScyllaDB Hinted Handoff
      • ScyllaDB Read Repair
      • ScyllaDB Repair
    • SSTable
      • ScyllaDB SSTable - 2.x
      • ScyllaDB SSTable - 3.x
    • Compaction Strategies
    • Raft Consensus Algorithm in ScyllaDB
    • Zero-token Nodes
  • Troubleshooting ScyllaDB
    • Errors and Support
      • Report a ScyllaDB problem
      • Error Messages
      • Change Log Level
    • ScyllaDB Startup
      • Ownership Problems
      • ScyllaDB will not Start
      • ScyllaDB Python Script broken
    • Upgrade
      • Inaccessible configuration files after ScyllaDB upgrade
    • Cluster and Node
      • Handling Node Failures
      • Failure to Add, Remove, or Replace a Node
      • Failed Decommission Problem
      • Cluster Timeouts
      • Node Joined With No Data
      • NullPointerException
      • Failed Schema Sync
    • Data Modeling
      • ScyllaDB Large Partitions Table
      • ScyllaDB Large Rows and Cells Table
      • Large Partitions Hunting
      • Failure to Update the Schema
    • Data Storage and SSTables
      • Space Utilization Increasing
      • Disk Space is not Reclaimed
      • SSTable Corruption Problem
      • Pointless Compactions
      • Limiting Compaction
    • CQL
      • Time Range Query Fails
      • COPY FROM Fails
      • CQL Connection Table
    • ScyllaDB Monitor and Manager
      • Manager and Monitoring integration
      • Manager lists healthy nodes as down
    • Installation and Removal
      • Removing ScyllaDB on Ubuntu breaks system packages
  • Knowledge Base
    • Upgrading from experimental CDC
    • Compaction
    • Consistency in ScyllaDB
    • Counting all rows in a table is slow
    • CQL Query Does Not Display Entire Result Set
    • When CQLSh query returns partial results with followed by “More”
    • Run ScyllaDB and supporting services as a custom user:group
    • Customizing CPUSET
    • Decoding Stack Traces
    • Snapshots and Disk Utilization
    • DPDK mode
    • Debug your database with Flame Graphs
    • Efficient Tombstone Garbage Collection in ICS
    • How to Change gc_grace_seconds for a Table
    • Gossip in ScyllaDB
    • Increase Permission Cache to Avoid Non-paged Queries
    • How does ScyllaDB LWT Differ from Apache Cassandra ?
    • Map CPUs to ScyllaDB Shards
    • ScyllaDB Memory Usage
    • NTP Configuration for ScyllaDB
    • Updating the Mode in perftune.yaml After a ScyllaDB Upgrade
    • POSIX networking for ScyllaDB
    • ScyllaDB consistency quiz for administrators
    • Recreate RAID devices
    • How to Safely Increase the Replication Factor
    • ScyllaDB and Spark integration
    • Increase ScyllaDB resource limits over systemd
    • ScyllaDB Seed Nodes
    • How to Set up a Swap Space
    • ScyllaDB Snapshots
    • ScyllaDB payload sent duplicated static columns
    • Stopping a local repair
    • System Limits
    • How to flush old tombstones from a table
    • Time to Live (TTL) and Compaction
    • ScyllaDB Nodes are Unresponsive
    • Update a Primary Key
    • Using the perf utility with ScyllaDB
    • Configure ScyllaDB Networking with Multiple NIC/IP Combinations
  • Reference
    • AWS Images
    • Azure Images
    • GCP Images
    • Configuration Parameters
    • Glossary
    • Limits
    • ScyllaDB Enterprise vs. Open Source Matrix
    • API Reference (BETA)
    • Metrics (BETA)
  • ScyllaDB University
  • ScyllaDB FAQ
  • Alternator: DynamoDB API in Scylla
    • Getting Started With ScyllaDB Alternator
    • ScyllaDB Alternator for DynamoDB users
    • Alternator-specific APIs
Docs Tutorials University Contact Us About Us
© 2025, ScyllaDB. All rights reserved. | Terms of Service | Privacy Policy | ScyllaDB, and ScyllaDB Cloud, are registered trademarks of ScyllaDB, Inc.
Last updated on 09 Apr 2025.
Powered by Sphinx 7.4.7 & ScyllaDB Theme 1.8.6