REVOKE Statement (Impala 2.0 or higher only)
The REVOKE
statement revokes roles or privileges on a specified object from groups.
Syntax:
REVOKE ROLE role_name FROM GROUP group_name
REVOKE privilege ON object_type object_name
FROM [ROLE] role_name
privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(column_name)
object_type ::= TABLE | DATABASE | SERVER | URI
See GRANT Statement (Impala 2.0 or higher only) for the required privileges and the scope for SQL operations.
The ALL
privilege is a distinct privilege and not a union of all other privileges. Revoking SELECT
, INSERT
, etc. from a role that only has the ALL
privilege has no effect. To reduce the privileges of that role you must REVOKE ALL
and GRANT
the desired privileges.
Typically, the object name is an identifier. For URIs, it is a string literal.
The ability to grant or revoke SELECT
privilege on specific columns is available in Impala 2.3 and higher. See the documentation for Apache Sentry for details.
Required privileges:
Only administrative users (those with ALL
privileges on the server, defined in the Sentry policy file) can use this statement.
Only Sentry administrative users can revoke the role from a group.
Compatibility:
- The
REVOKE
statements are available in Impala 2.0 and higher. - In Impala 1.4 and higher, Impala makes use of any roles and privileges specified by the
GRANT
andREVOKE
statements in Hive, when your system is configured to use the Sentry service instead of the file-based policy mechanism. - The Impala
REVOKE
statements do not require theROLE
keyword to be repeated before each role name, unlike the equivalent Hive statements. - Currently, each Impala
GRANT
orREVOKE
statement can only grant or revoke a single privilege to or from a single role.
Cancellation: Cannot be cancelled.
HDFS permissions: This statement does not touch any HDFS files or directories, therefore no HDFS permissions are required.
Kudu considerations:
Access to Kudu tables must be granted to and revoked from roles with the following considerations:
- Only users with the
ALL
privilege onSERVER
can create external Kudu tables. - The
ALL
privileges onSERVER
is required to specify thekudu.master_addresses
property in theCREATE TABLE
statements for managed tables as well as external tables. - Access to Kudu tables is enforced at the table level and at the column level.
- The
SELECT
- andINSERT
-specific permissions are supported. - The
DELETE
,UPDATE
, andUPSERT
operations require theALL
privilege.
Because non-SQL APIs can access Kudu data without going through Sentry authorization, currently the Sentry support is considered preliminary and subject to change.
Related information:
Enabling Sentry Authorization for Impala, GRANT Statement (Impala 2.0 or higher only) CREATE ROLE Statement (Impala 2.0 or higher only), DROP ROLE Statement (Impala 2.0 or higher only), SHOW Statement
Parent topic: Impala SQL Statements