REVOKE Statement (Impala 2.0 or higher only)
The REVOKE
statement revokes roles or privileges on a specified object from groups, roles, or users.
Syntax:
The following syntax is supported when Impala is using Ranger to manage authorization.
REVOKE ROLE role_name FROM GROUP group_name
REVOKE privilege ON object_type object_name
FROM USER user_name
REVOKE privilege ON object_type object_name
FROM GROUP group_name
REVOKE [GRANT OPTION FOR] privilege ON object_type object_name
FROM [ROLE] role_name
privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(column_name)
object_type ::= SERVER | URI | DATABASE | TABLE
Usage notes:
See GRANT Statement (Impala 2.0 or higher only) for the required privileges and the scope for SQL operations.
The ALL
privilege is a distinct privilege and not a union of all other privileges. Revoking SELECT
, INSERT
, etc. from a role that only has the ALL
privilege has no effect. To reduce the privileges of that role you must REVOKE ALL
and GRANT
the desired privileges.
You cannot revoke a privilege granted with the WITH GRANT OPTION
. If a privilege is granted with the WITH GRANT OPTION
, first revoke the grant option, and then revoke the privilege.
For example:
GRANT ALL ON SERVER TO ROLE foo_role;
...
REVOKE GRANT OPTION FOR ALL ON SERVER FROM ROLE foo_role;
REVOKE ALL ON SERVER FROM ROLE foo_role;
Typically, the object name is an identifier. For URIs, it is a string literal.
The ability to grant or revoke SELECT
privilege on specific columns is available in Impala 2.3 and higher. See the documentation for Apache Sentry for details.
Required privileges:
Only administrative users for Ranger can use this statement.
Only Ranger administrative users can revoke the role from a group.
Compatibility:
- The
REVOKE
statements are available in Impala 2.0 and higher. - Impala makes use of any roles and privileges specified by the
GRANT
andREVOKE
statements in Hive, when your system is configured to use the Ranger service instead of the file-based policy mechanism. - The Impala
REVOKE
statements do not require theROLE
keyword to be repeated before each role name, unlike the equivalent Hive statements. - Currently, each Impala
GRANT
orREVOKE
statement can only grant or revoke a single privilege to or from a single role.
Cancellation: Cannot be cancelled.
HDFS permissions: This statement does not touch any HDFS files or directories, therefore no HDFS permissions are required.
Kudu considerations:
Access to Kudu tables must be granted to and revoked from principal with the following considerations:
- Only users with the
ALL
privilege onSERVER
can create external Kudu tables. - The
ALL
privileges onSERVER
is required to specify thekudu.master_addresses
property in theCREATE TABLE
statements for managed tables as well as external tables. - Access to Kudu tables is enforced at the table level and at the column level.
- The
SELECT
- andINSERT
-specific permissions are supported. - The
DELETE
,UPDATE
, andUPSERT
operations require theALL
privilege.
Related information:
Impala Authorization, GRANT Statement (Impala 2.0 or higher only) CREATE ROLE Statement (Impala 2.0 or higher only), DROP ROLE Statement (Impala 2.0 or higher only), SHOW Statement
Parent topic: Impala SQL Statements