REVOKE Statement (CDH 5.2 or higher only)

The REVOKE statement revokes roles or privileges on a specified object from groups. Only Sentry administrative users can revoke the role from a group. The revocation has a cascading effect. For example, revoking the ALL privilege on a database also revokes the same privilege for all the tables in that database.


REVOKE ROLE role_name FROM GROUP group_name

REVOKE privilege ON object_type object_name
  FROM [ROLE] role_name

privilege ::= SELECT | SELECT(column_name) | INSERT | ALL
object_type ::= TABLE | DATABASE | SERVER | URI

Typically, the object name is an identifier. For URIs, it is a string literal.

The ability to grant or revoke SELECT privilege on specific columns is available in CDH 5.5 / Impala 2.3 and higher. See Column-level Authorization for details.

Required privileges:

Only administrative users (those with ALL privileges on the server, defined in the Sentry policy file) can use this statement.


  • The Impala GRANT and REVOKE statements are available in CDH 5.2 and higher.
  • In CDH 5.1 and higher, Impala makes use of any roles and privileges specified by the GRANT and REVOKE statements in Hive, when your system is configured to use the Sentry service instead of the file-based policy mechanism.
  • The Impala GRANT and REVOKE statements do not require the ROLE keyword to be repeated before each role name, unlike the equivalent Hive statements.
  • Currently, each Impala GRANT or REVOKE statement can only grant or revoke a single privilege to or from a single role.

Cancellation: Cannot be cancelled.

HDFS permissions: This statement does not touch any HDFS files or directories, therefore no HDFS permissions are required.

Related information:

Enabling Sentry Authorization for Impala, GRANT Statement (CDH 5.2 or higher only) CREATE ROLE Statement (CDH 5.2 or higher only), DROP ROLE Statement (CDH 5.2 or higher only), SHOW Statement