REVOKE statement

The REVOKE statement revokes privileges on a specified object from groups or users.

Syntax:


      REVOKE privilege ON object_type object_name
      FROM USER user_name
      REVOKE privilege ON object_type object_name
      FROM GROUP group_name
      REVOKE privilege ON object_type object_name
      FROM ROLE role_name
      
        privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(column_name)
      
      object_type ::= SERVER | URI | DATABASE | TABLE
    

See the GRANT statement for the required privileges and the scope for SQL operations.

The ALL privilege is a distinct privilege and not a union of all other privileges.

The following syntax is supported when Impala is using Ranger to manage authorization.

REVOKE privilege ON object_type object_name
  FROM USER user_name

REVOKE privilege ON object_type object_name
  FROM GROUP group_name


  privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(column_name)

object_type ::= SERVER | URI | DATABASE | TABLE

You cannot revoke a privilege granted with the WITH GRANT OPTION. If a privilege is granted with the WITH GRANT OPTION, first revoke the grant option, and then revoke the privilege.

Typically, the object name is an identifier. For URIs, it is a string literal.

The ability to grant or revoke SELECT privilege on specific columns is available in Impala 2.3 and higher.

Required privileges:

Only administrative users those with ALL privileges on the server can use this statement.

Compatibility:

  • The Impala REVOKE statement is available in Impala 2.0 and higher.
  • In Impala 1.4 and higher, Impala makes use of any privileges specified by the GRANT and REVOKE statements in Hive, when your system is configured to use the Ranger service.

Cancellation: Cannot be cancelled.

HDFS permissions: This statement does not touch any HDFS files or directories, therefore no HDFS permissions are required.