REVOKE statement
The REVOKE
statement revokes privileges on a
specified object from groups or users.
Syntax:
REVOKE privilege ON object_type object_name
FROM USER user_name
REVOKE privilege ON object_type object_name
FROM GROUP group_name
REVOKE privilege ON object_type object_name
FROM ROLE role_name
privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(column_name)
object_type ::= SERVER | URI | DATABASE | TABLE
See the GRANT
statement for the required privileges and the scope for SQL
operations.
The ALL
privilege is a distinct privilege and not a union
of all other privileges.
The following syntax is supported when Impala is using Ranger to manage authorization.
REVOKE privilege ON object_type object_name
FROM USER user_name
REVOKE privilege ON object_type object_name
FROM GROUP group_name
privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(column_name)
object_type ::= SERVER | URI | DATABASE | TABLE
You cannot revoke a privilege granted with the WITH GRANT OPTION
. If a
privilege is granted with the WITH GRANT OPTION
, first revoke the grant
option, and then revoke the privilege.
Typically, the object name is an identifier. For URIs, it is a string literal.
The ability to grant or revoke SELECT
privilege on
specific columns is available in Impala 2.3 and higher.
Required privileges:
Only administrative users those with ALL
privileges on the
server can use this statement.
Compatibility:
- The Impala
REVOKE
statement is available in Impala 2.0 and higher. - In Impala 1.4 and higher, Impala makes use of any privileges
specified by the
GRANT
andREVOKE
statements in Hive, when your system is configured to use the Ranger service.
Cancellation: Cannot be cancelled.
HDFS permissions: This statement does not touch any HDFS files or directories, therefore no HDFS permissions are required.