REVOKE Statement (Impala 2.0 or higher only)

The REVOKE statement revokes roles or privileges on a specified object from groups, roles, or users.

Syntax:

The following syntax is supported when Impala is using Ranger to manage authorization.

  1. REVOKE ROLE role_name FROM GROUP group_name
  2. REVOKE privilege ON object_type object_name
  3. FROM USER user_name
  4. REVOKE privilege ON object_type object_name
  5. FROM GROUP group_name
  6. REVOKE [GRANT OPTION FOR] privilege ON object_type object_name
  7. FROM [ROLE] role_name
  8. privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(column_name)
  9. object_type ::= SERVER | URI | DATABASE | TABLE

Usage notes:

See GRANT Statement (Impala 2.0 or higher only) for the required privileges and the scope for SQL operations.

The ALL privilege is a distinct privilege and not a union of all other privileges. Revoking SELECT, INSERT, etc. from a role that only has the ALL privilege has no effect. To reduce the privileges of that role you must REVOKE ALL and GRANT the desired privileges.

You cannot revoke a privilege granted with the WITH GRANT OPTION. If a privilege is granted with the WITH GRANT OPTION, first revoke the grant option, and then revoke the privilege.

For example:

  1. GRANT ALL ON SERVER TO ROLE foo_role;
  2. ...
  3. REVOKE GRANT OPTION FOR ALL ON SERVER FROM ROLE foo_role;
  4. REVOKE ALL ON SERVER FROM ROLE foo_role;

Typically, the object name is an identifier. For URIs, it is a string literal.

The ability to grant or revoke SELECT privilege on specific columns is available in Impala 2.3 and higher. See the documentation for Apache Sentry for details.

Required privileges:

Only administrative users for Ranger can use this statement.

Only Ranger administrative users can revoke the role from a group.

Compatibility:

  • The REVOKE statements are available in Impala 2.0 and higher.
  • Impala makes use of any roles and privileges specified by the GRANT and REVOKE statements in Hive, when your system is configured to use the Ranger service instead of the file-based policy mechanism.
  • The Impala REVOKE statements do not require the ROLE keyword to be repeated before each role name, unlike the equivalent Hive statements.
  • Currently, each Impala GRANT or REVOKE statement can only grant or revoke a single privilege to or from a single role.

Cancellation: Cannot be cancelled.

HDFS permissions: This statement does not touch any HDFS files or directories, therefore no HDFS permissions are required.

Kudu considerations:

Access to Kudu tables must be granted to and revoked from principal with the following considerations:

  • Only users with the ALL privilege on SERVER can create external Kudu tables.
  • The ALL privileges on SERVER is required to specify the kudu.master_addresses property in the CREATE TABLE statements for managed tables as well as external tables.
  • Access to Kudu tables is enforced at the table level and at the column level.
  • The SELECT- and INSERT-specific permissions are supported.
  • The DELETE, UPDATE, and UPSERT operations require the ALL privilege.

Related information:

Impala Authorization, GRANT Statement (Impala 2.0 or higher only) CREATE ROLE Statement (Impala 2.0 or higher only), DROP ROLE Statement (Impala 2.0 or higher only), SHOW Statement

Parent topic: Impala SQL Statements