ContextQMD
Back to Yugabyte Db

CREATE ROLE statement [YCQL]

docs/content/v2024.2/api/ycql/ddl_create_role.md

2026.1.0.0-b255.2 KB
Original Source

Synopsis

Use the CREATE ROLE statement to create a new role that is used to authenticate into YCQL and as a group of permissions is used to restrict operations on the database objects. Note that users are specific roles that are login enabled. There is no explicit CREATE USER command in YCQL.

This statement is enabled by setting the YB-TServer flag --use_cassandra_authentication to true.

Syntax

Diagram

create_role

<svg class="rrdiagram" version="1.1" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" width="730" height="80" viewbox="0 0 730 80"><path class="connector" d="M0 52h15m68 0h10m53 0h30m32 0h10m46 0h10m64 0h20m-197 0q5 0 5 5v8q0 5 5 5h172q5 0 5-5v-8q0-5 5-5m5 0h10m87 0h30m54 0h30m-5 0q-5 0-5-5v-20q0-5 5-5h35m46 0h35q5 0 5 5v20q0 5-5 5m-5 0h40m-245 0q5 0 5 5v8q0 5 5 5h220q5 0 5-5v-8q0-5 5-5m5 0h15"/><polygon points="0,59 5,52 0,45" style="fill:black;stroke-width:0"/><rect class="literal" x="15" y="35" width="68" height="25" rx="7"/><text class="text" x="25" y="52">CREATE</text><rect class="literal" x="93" y="35" width="53" height="25" rx="7"/><text class="text" x="103" y="52">ROLE</text><rect class="literal" x="176" y="35" width="32" height="25" rx="7"/><text class="text" x="186" y="52">IF</text><rect class="literal" x="218" y="35" width="46" height="25" rx="7"/><text class="text" x="228" y="52">NOT</text><rect class="literal" x="274" y="35" width="64" height="25" rx="7"/><text class="text" x="284" y="52">EXISTS</text><a xlink:href="../grammar_diagrams#role-name"><rect class="rule" x="368" y="35" width="87" height="25"/><text class="text" x="378" y="52">role_name</text></a><rect class="literal" x="485" y="35" width="54" height="25" rx="7"/><text class="text" x="495" y="52">WITH</text><rect class="literal" x="599" y="5" width="46" height="25" rx="7"/><text class="text" x="609" y="22">AND</text><a xlink:href="../grammar_diagrams#role-property"><rect class="rule" x="569" y="35" width="106" height="25"/><text class="text" x="579" y="52">role_property</text></a><polygon points="726,59 730,59 730,45 726,45" style="fill:black;stroke-width:0"/></svg>

role_property

<svg class="rrdiagram" version="1.1" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" width="321" height="95" viewbox="0 0 321 95"><path class="connector" d="M0 22h25m89 0h10m30 0h10m107 0h45m-301 25q0 5 5 5h5m59 0h10m30 0h10m128 0h39q5 0 5-5m-296-25q5 0 5 5v50q0 5 5 5h5m93 0h10m30 0h10m128 0h5q5 0 5-5v-50q0-5 5-5m5 0h5"/><rect class="literal" x="25" y="5" width="89" height="25" rx="7"/><text class="text" x="35" y="22">PASSWORD</text><rect class="literal" x="124" y="5" width="30" height="25" rx="7"/><text class="text" x="134" y="22">=</text><rect class="literal" x="164" y="5" width="107" height="25" rx="7"/><text class="text" x="174" y="22"><Text Literal></text><rect class="literal" x="25" y="35" width="59" height="25" rx="7"/><text class="text" x="35" y="52">LOGIN</text><rect class="literal" x="94" y="35" width="30" height="25" rx="7"/><text class="text" x="104" y="52">=</text><rect class="literal" x="134" y="35" width="128" height="25" rx="7"/><text class="text" x="144" y="52"><Boolean Literal></text><rect class="literal" x="25" y="65" width="93" height="25" rx="7"/><text class="text" x="35" y="82">SUPERUSER</text><rect class="literal" x="128" y="65" width="30" height="25" rx="7"/><text class="text" x="138" y="82">=</text><rect class="literal" x="168" y="65" width="128" height="25" rx="7"/><text class="text" x="178" y="82"><Boolean Literal></text></svg>

Grammar

ebnf
create_role ::= CREATE ROLE [ IF NOT EXISTS ] role_name
                [ WITH role_property [ AND ... ] ]

role_property ::=  PASSWORD = <Text Literal>
                 | LOGIN = <Boolean Literal>
                 | SUPERUSER = <Boolean Literal>

Where

  • role_name is a text identifier.

Semantics

  • An error is raised if role_name already exists unless the IF NOT EXISTS option is used.
  • By default, a role does not possess the LOGIN privilege nor SUPERUSER status.
  • A role with the SUPERUSER status possesses all the permissions on all the objects in the database even though they are not explicitly granted.
  • Only a role with the SUPERUSER status can create another SUPERUSER role.
  • A role with the LOGIN privilege can be used to authenticate into YQL.
  • Only a client with the permission CREATE on ALL ROLES or with the SUPERUSER status can create another role.

Examples

Create a simple role with no properties

sql
ycqlsh:example> CREATE ROLE role1;

Create a SUPERUSER role

sql
ycqlsh:example> CREATE ROLE role2 WITH SUPERUSER = true;

Create a regular user with ability to log in

You can create a regular user with login privileges as shown below. Note the SUPERUSER set to false.

sql
ycqlsh:example> CREATE ROLE role3 WITH SUPERUSER = false AND LOGIN = true AND PASSWORD = 'aid8134'

See also